f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe
Size

15.2MB
MD5

23ac2dd53d9f44b721e72fa848ca6cbf
SHA1

891ff5cc02e260c348daf8bb35ec80e28fc193f1
SHA256

f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151
SHA512

43fbb3aa4ec80073ee98b64c0ade9011e14fee1e0cabf3f9378c4096ee02b864d16e8e9a8e336a833a97136c28a335da96c0b2764a25605040fdeb09dded2503
SSDEEP

393216:8Xrg24dyVnq2PJ1E7hSHMiusfjEo0Uqr+9JDiQB9X:8cddyVXJOufQo0Uqk+O

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETFBA.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETFBA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1428	netsh.exe
2524	netsh.exe
2876	netsh.exe
4392	netsh.exe
536	netsh.exe

Executes dropped EXE 8 IoCs

pid	Process
2904	kcinst.exe
3104	letsvpn-latest.exe
4244	kcinst.exe
3544	tapinstall.exe
1900	tapinstall.exe
2396	tapinstall.exe
1084	LetsPRO.exe
4272	LetsPRO.exe

Loads dropped DLL 64 IoCs

pid	Process
2904	kcinst.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
3104	letsvpn-latest.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" /silent"	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	kcinst.exe
File opened (read-only)	\??\R:	kcinst.exe
File opened (read-only)	\??\W:	kcinst.exe
File opened (read-only)	\??\Y:	kcinst.exe
File opened (read-only)	\??\Z:	kcinst.exe
File opened (read-only)	\??\B:	kcinst.exe
File opened (read-only)	\??\J:	kcinst.exe
File opened (read-only)	\??\O:	kcinst.exe
File opened (read-only)	\??\N:	kcinst.exe
File opened (read-only)	\??\S:	kcinst.exe
File opened (read-only)	\??\G:	kcinst.exe
File opened (read-only)	\??\L:	kcinst.exe
File opened (read-only)	\??\M:	kcinst.exe
File opened (read-only)	\??\U:	kcinst.exe
File opened (read-only)	\??\X:	kcinst.exe
File opened (read-only)	\??\I:	kcinst.exe
File opened (read-only)	\??\K:	kcinst.exe
File opened (read-only)	\??\Q:	kcinst.exe
File opened (read-only)	\??\V:	kcinst.exe
File opened (read-only)	\??\E:	kcinst.exe
File opened (read-only)	\??\H:	kcinst.exe
File opened (read-only)	\??\T:	kcinst.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3548	cmd.exe
1208	ARP.EXE

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\SETD5B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\SETD49.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\SETD4A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF	tapinstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\SETD4A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\SETD49.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\SETD5B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ef8e520-028d-5845-97ab-6e999c074569}\tap0901.cat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNDomainModel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.AppCenter.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.NameResolution.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Serialization.Json.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ja\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Win32.Primitives.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.WebSockets.Client.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Web.Services.Description.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.XmlSerializer.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\cs	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Web.WebView2.Core.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\SQLitePCLRaw.provider.dynamic_cdecl.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Text.RegularExpressions.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ja	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.AppContext.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.Pipes.AccessControl.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ServiceModel.Primitives.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Windows.Interactivity.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\netstandard.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\fr	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\x64	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\SharpCompress.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.PerformanceCounter.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.AccessControl.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Cng.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\x86\WebView2Loader.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Win32.SystemEvents.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.InteropServices.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.XPath.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\fr\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Mono.Cecil.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\NuGet.Squirrel.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\PusherClient.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.AppContext.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Tools.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Globalization.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.Queryable.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Security.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.ThreadPool.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\zh-Hant	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Squirrel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Collections.NonGeneric.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Globalization.Calendars.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Text.RegularExpressions.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.Thread.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-arm\native\e_sqlite3.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Data.Odbc.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Drawing.Common.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Primitives.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.XmlDocument.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.AppCenter.Analytics.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Bcl.AsyncInterfaces.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.IsolatedStorage.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Requests.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Requests.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Principal.Windows.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Text.Encoding.Extensions.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\log4net.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Data.Common.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Debug.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ServiceModel.Syndication.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\ru\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\MdXaml.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.dll	letsvpn-latest.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1644	powershell.exe
5028	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LetsPRO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LetsPRO.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3992	ipconfig.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" \"%1\""	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\",1"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell	LetsPRO.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LetsPRO.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	LetsPRO.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	powershell.exe
1644	powershell.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe
4244	kcinst.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeAuditPrivilege	4400	svchost.exe
Token: SeSecurityPrivilege	4400	svchost.exe
Token: SeLoadDriverPrivilege	1900	tapinstall.exe
Token: SeRestorePrivilege	2412	DrvInst.exe
Token: SeBackupPrivilege	2412	DrvInst.exe
Token: SeLoadDriverPrivilege	2412	DrvInst.exe
Token: SeLoadDriverPrivilege	2412	DrvInst.exe
Token: SeLoadDriverPrivilege	2412	DrvInst.exe
Token: SeDebugPrivilege	4272	LetsPRO.exe
Token: SeIncreaseQuotaPrivilege	4272	LetsPRO.exe
Token: SeSecurityPrivilege	4272	LetsPRO.exe
Token: SeTakeOwnershipPrivilege	4272	LetsPRO.exe
Token: SeLoadDriverPrivilege	4272	LetsPRO.exe
Token: SeSystemProfilePrivilege	4272	LetsPRO.exe
Token: SeSystemtimePrivilege	4272	LetsPRO.exe
Token: SeProfSingleProcessPrivilege	4272	LetsPRO.exe
Token: SeIncBasePriorityPrivilege	4272	LetsPRO.exe
Token: SeCreatePagefilePrivilege	4272	LetsPRO.exe
Token: SeBackupPrivilege	4272	LetsPRO.exe
Token: SeRestorePrivilege	4272	LetsPRO.exe
Token: SeShutdownPrivilege	4272	LetsPRO.exe
Token: SeDebugPrivilege	4272	LetsPRO.exe
Token: SeSystemEnvironmentPrivilege	4272	LetsPRO.exe
Token: SeRemoteShutdownPrivilege	4272	LetsPRO.exe
Token: SeUndockPrivilege	4272	LetsPRO.exe
Token: SeManageVolumePrivilege	4272	LetsPRO.exe
Token: 33	4272	LetsPRO.exe
Token: 34	4272	LetsPRO.exe
Token: 35	4272	LetsPRO.exe
Token: 36	4272	LetsPRO.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe
4272	LetsPRO.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	kcinst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2904	4756	f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe	86
PID 4756 wrote to memory of 2904	4756	f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe	86
PID 4756 wrote to memory of 3104	4756	f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe	87
PID 4756 wrote to memory of 3104	4756	f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe	87
PID 4756 wrote to memory of 3104	4756	f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe	87
PID 3104 wrote to memory of 1644	3104	letsvpn-latest.exe	88
PID 3104 wrote to memory of 1644	3104	letsvpn-latest.exe	88
PID 3104 wrote to memory of 1644	3104	letsvpn-latest.exe	88
PID 3104 wrote to memory of 5028	3104	letsvpn-latest.exe	106
PID 3104 wrote to memory of 5028	3104	letsvpn-latest.exe	106
PID 3104 wrote to memory of 5028	3104	letsvpn-latest.exe	106
PID 3104 wrote to memory of 3544	3104	letsvpn-latest.exe	109
PID 3104 wrote to memory of 3544	3104	letsvpn-latest.exe	109
PID 3104 wrote to memory of 1900	3104	letsvpn-latest.exe	111
PID 3104 wrote to memory of 1900	3104	letsvpn-latest.exe	111
PID 4400 wrote to memory of 4852	4400	svchost.exe	115
PID 4400 wrote to memory of 4852	4400	svchost.exe	115
PID 4400 wrote to memory of 2412	4400	svchost.exe	116
PID 4400 wrote to memory of 2412	4400	svchost.exe	116
PID 3104 wrote to memory of 2520	3104	letsvpn-latest.exe	121
PID 3104 wrote to memory of 2520	3104	letsvpn-latest.exe	121
PID 3104 wrote to memory of 2520	3104	letsvpn-latest.exe	121
PID 2520 wrote to memory of 1428	2520	cmd.exe	123
PID 2520 wrote to memory of 1428	2520	cmd.exe	123
PID 2520 wrote to memory of 1428	2520	cmd.exe	123
PID 3104 wrote to memory of 5020	3104	letsvpn-latest.exe	124
PID 3104 wrote to memory of 5020	3104	letsvpn-latest.exe	124
PID 3104 wrote to memory of 5020	3104	letsvpn-latest.exe	124
PID 5020 wrote to memory of 2524	5020	cmd.exe	126
PID 5020 wrote to memory of 2524	5020	cmd.exe	126
PID 5020 wrote to memory of 2524	5020	cmd.exe	126
PID 3104 wrote to memory of 3092	3104	letsvpn-latest.exe	127
PID 3104 wrote to memory of 3092	3104	letsvpn-latest.exe	127
PID 3104 wrote to memory of 3092	3104	letsvpn-latest.exe	127
PID 3092 wrote to memory of 2876	3092	cmd.exe	129
PID 3092 wrote to memory of 2876	3092	cmd.exe	129
PID 3092 wrote to memory of 2876	3092	cmd.exe	129
PID 3104 wrote to memory of 3872	3104	letsvpn-latest.exe	130
PID 3104 wrote to memory of 3872	3104	letsvpn-latest.exe	130
PID 3104 wrote to memory of 3872	3104	letsvpn-latest.exe	130
PID 3872 wrote to memory of 4392	3872	cmd.exe	132
PID 3872 wrote to memory of 4392	3872	cmd.exe	132
PID 3872 wrote to memory of 4392	3872	cmd.exe	132
PID 3104 wrote to memory of 4552	3104	letsvpn-latest.exe	133
PID 3104 wrote to memory of 4552	3104	letsvpn-latest.exe	133
PID 3104 wrote to memory of 4552	3104	letsvpn-latest.exe	133
PID 4552 wrote to memory of 536	4552	cmd.exe	136
PID 4552 wrote to memory of 536	4552	cmd.exe	136
PID 4552 wrote to memory of 536	4552	cmd.exe	136
PID 3104 wrote to memory of 2396	3104	letsvpn-latest.exe	137
PID 3104 wrote to memory of 2396	3104	letsvpn-latest.exe	137
PID 3104 wrote to memory of 1084	3104	letsvpn-latest.exe	139
PID 3104 wrote to memory of 1084	3104	letsvpn-latest.exe	139
PID 3104 wrote to memory of 1084	3104	letsvpn-latest.exe	139
PID 1084 wrote to memory of 4272	1084	LetsPRO.exe	140
PID 1084 wrote to memory of 4272	1084	LetsPRO.exe	140
PID 1084 wrote to memory of 4272	1084	LetsPRO.exe	140
PID 4272 wrote to memory of 4004	4272	LetsPRO.exe	148
PID 4272 wrote to memory of 4004	4272	LetsPRO.exe	148
PID 4272 wrote to memory of 4004	4272	LetsPRO.exe	148
PID 4004 wrote to memory of 3992	4004	cmd.exe	150
PID 4004 wrote to memory of 3992	4004	cmd.exe	150
PID 4004 wrote to memory of 3992	4004	cmd.exe	150
PID 4272 wrote to memory of 3620	4272	LetsPRO.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe
"C:\Users\Admin\AppData\Local\Temp\f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\update\kcinst.exe
  C:\Users\Admin\AppData\Local\Temp\update\kcinst.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\update\letsvpn-latest.exe
  C:\Users\Admin\AppData\Local\Temp\update\letsvpn-latest.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3544
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=lets
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=lets
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=lets.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=lets.exe
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsPRO.exe
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsPRO
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsVPN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:536
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2396
- - C:\Program Files (x86)\letsvpn\LetsPRO.exe
    "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe
      "C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies registry class
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3992
    - - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:960
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        5⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:3548
      - C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:1208

C:\Users\Admin\AppData\Local\Temp\update\kcinst.exe
C:\Users\Admin\AppData\Local\Temp\\update\kcinst.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{38ac6c73-d087-2c47-9332-dd1123413e27}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\letsvpn\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4852
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000178"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

Filesize
318B

MD5
b34636a4e04de02d079ba7325e7565f0

SHA1
f32c1211eac22409bb195415cb5a8063431f75cd

SHA256
a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df

SHA512
6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f

Download Submit
C:\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
bd8643e5db648810348aa0755e455b70

SHA1
119cb1fb3057d9759d0abb3dfdafc460456c1cc4

SHA256
bec6a116ea2224dd1532c6eaf20e4d61199240e55ccd0270199fbd22f2806477

SHA512
b8033d8989c66431e1771ffc6d2549a4d1e32b8612b7331e7a2931ddad3e31c8a7e1af8ef129883034b1fcf466b8ad0e1cab431cbf5c20c724f4eef53468f714

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe

Filesize
1.5MB

MD5
ca72f8ead2ae568acc481f685385fb60

SHA1
887a1d53c8b61c81a80592ff62cf9cdf56b29d18

SHA256
d287af28a137d9c015531eae28815d2b0d0a53879318f104ef34e5d86e2c4618

SHA512
8da648e1363d490d6a4ee5ec9e38aec86384f345ae5fd58150b2affce8c3c208e1a55598cfe820d00e9448910598ffde29d2824275ebaafaa7d33279898a2e4c

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe.config

Filesize
26KB

MD5
6126a1ab971d6bd4761f45791af90b1e

SHA1
36013821807f6fe08fe3b60a22ec519fd3e5579c

SHA256
9b7b7ec30f305b3cd9da40662f95ed57ae89ed8afd2b11d26503e387ff3c262d

SHA512
9f74f9f4ad593980337099717ba1e6b584530ee0e192b137297961d1550a70ae3a30fc1bf3e6e670fb817682354648d610f2a542b753a61f397ccaca20908510

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNDomainModel.dll

Filesize
20KB

MD5
85bee1626071af1b07e79fc7963731e4

SHA1
d804e63940798891928f3ba29be85cf06fbb9769

SHA256
222f84cd3111f90b7ce045119e63678ee180ab0a7c4f48cae25f097ee425debe

SHA512
6649931736a607dceea5ec8180e07c14c331761a7dd0fa5ab4187d3302c0a51262ccce40024d6540f3453d8bdd43785c5f8d45e9c5252e097b69b30fced78832

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\Newtonsoft.Json.dll

Filesize
693KB

MD5
33a3c1df70cfab1888a4b20565515f81

SHA1
c1bfab7454dda45074a6e2b9ae4e9a2712830af6

SHA256
0c3c293507c487b76021baaded76defb0fecaf01c1327a448a9b756987595a9e

SHA512
76d3e0c34c5e793283910f93af3693355abdd374cf50234496cf3bbebf82a381113fbb4d53ad469f2f5a001b2cb96c761310a3825f8973ae61a4e8b59061cb28

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\Utils.dll

Filesize
126KB

MD5
8af72dc9783c52125e229f8b79afba94

SHA1
71178bc7cfced6bc5dcb45ed666cdbe2c55182dd

SHA256
68ae722154cebfb3a3ca59b135e182a68fa0d6966a089008028f97022849bbc5

SHA512
dcada700522b78fe0006e84c6599a9857269512eb65a68c0475635f76d5805c43decad74232eb39dae83f987b3dabafe07129d44cce950c8dc9efd11901599e2

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\log4net.config

Filesize
1KB

MD5
7a7521bc7f838610905ce0286324ce39

SHA1
8ab90dd0c4b6edb79a6af2233340d0f59e9ac195

SHA256
2a322178557c88cc3c608101e8fc84bfd2f8fa9b81483a443bb3d09779de218d

SHA512
b25dfdce0977eaf7159df5eabe4b147a6c0adac39c84d1c7a9fe748446a10c8d2e20d04cf36221057aa210633df65f2a460821c8c79a2db16c912ec53a714d83

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\log4net.dll

Filesize
273KB

MD5
5b9a663d7584d8e605b0c39031ec485a

SHA1
b7d86ebe4e18cb6d2a48a1c97ac6f7e39c8a9b91

SHA256
e45afce6eff080d568e3e059498f5768585143336c600011273366905f4fc635

SHA512
b02bd950384cf3d656c4b8f590013392e3028c6183aa9321bd91b6fc1f5d41b03771313ca5e3305398a60642fa14fc5a98daf3e6decba586c80861bafcbf0c64

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
316953a7b1a8fd54ac3e2d3d4ab47047

SHA1
54d9655a0cd381074a4449286d3d1b76969df183

SHA256
d4e26ac9f6f66205fe8a86f1eda0ebb32a494d40ede810031d1133438ce1a940

SHA512
a206940212d268d26c7330faec2493bfeba28cc8f0ece209748042410a0569b19130e8f38f7e8a7669e5a103ee1d6bdb6f1f4c4993e4184ae211da8c43b5163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgyye1dg.yn0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA29A.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA29A.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA29A.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA29A.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\KcInst32.dll

Filesize
255KB

MD5
3d197a425190b754cd72f79c46edcacf

SHA1
d550711db2fd6d49ab62670f7b5374213873fcdb

SHA256
d464b80f9d383e9ec7b7260b89d3f9451e30ff80069e6a9c79b5e1282a3d671f

SHA512
34db88acbfbefa12c87b62dbb988e7b306f2ee91e04ed17bfc5045d9f50335a4b6670b4a5c7e311585b5c790f885fc8564bc6e13b88e63edafe6acfcdda41a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\VCRUNTIME140.dll

Filesize
107KB

MD5
ded0fb624c202e3595551256e3bc0ba2

SHA1
97c0c52f69fe76c9f1469f3cef78e12e598ad325

SHA256
2aebc4e4ca7645188d12950ca68b39f71ebd86da4228419800c1b1a3754f3130

SHA512
e7b5b9e7898361254903f1dd8b6f4a49fc0854460a427f4249e9e5e1b95c116a7be61e9ec43f02f70a56ad5ad3ce5205d748525cb40829cc49dd835b605c9fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\kcinst.exe

Filesize
117KB

MD5
71f004189b77c2f668c30ec67b876e51

SHA1
425ccabbb9f238f9cb9b3f10546894d57d16a164

SHA256
2aac0a7e1295e3307b1b7c4d2dc9ea5c84245df02981cde43e88fe50529fb38b

SHA512
daff0c7a21a773851f0963aff29eb3aee5832a73764ccba87ab4eb6d79752485a35a41ad19621dda97058c679b7a7258b45e402299d4a3a0f060419aaea9ec2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\kcinst.ini

Filesize
180KB

MD5
f2e64ea08fd129633120c7c0d4af0afa

SHA1
db7a035031086d88610d6d0353c52f1c06391a71

SHA256
f94bf192819a8bc48a1475b2a32435e130f5732c9394b7c95c791dd115426631

SHA512
6992767f5a3ebfbc10cd6497b159ccd3bfe49c2b306899815df5bec292aaa62698a9b02c6f12dc1acea8592816950219b91b96e0863aace1e2f5c865e6977c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\letsvpn-latest.exe

Filesize
14.7MB

MD5
e039e221b48fc7c02517d127e158b89f

SHA1
79eed88061472ae590616556f31576ca13bfc7fb

SHA256
dc30e5dab15392627d30a506f6304030c581fc00716703fc31add10ff263d70b

SHA512
87231c025bb94771e89a639c9cb1528763f096059f8806227b8ab45a8f1ea5cd3d94fdc91cb20dd140b91a14904653517f7b6673a142a864a58a2726d14ae4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\libCLI.dll

Filesize
32KB

MD5
3e513045bc9ead3c27f0e7116cfc4264

SHA1
87eb43d9f727cbb7221b5be7ccf648c5219dfd17

SHA256
842bda02e8a550e425992c100b70351c301eab46041180db023add78b0e6c553

SHA512
8c465363d5a12648578ea8ee98766acd9f42f31a7dee4f56697499fed5df2cf34422565b76efdb8e627157f0163b632baa9a0e7730ae57b4fb43b62f6f46ac35

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\msvcp140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\vcruntime140_1.dll

Filesize
49KB

MD5
f498619721756332ef731f1b72b7f29e

SHA1
5beb1e7f35c33bf636cf1a336b3a02a6f02b0394

SHA256
fd1cc0c1287caf736c7e1e4d9aee80fd74cfdfa52563ddd126c03f45542d45b6

SHA512
ce98577b8783a6b0305ede64811b6a8e094a237589530cb0cbc3af3530d5503f3bf5abaa2b2abcf38f2d3588d5e54f2a322ff78ea8296f0327627eea0da5a8cd

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

Filesize
38KB

MD5
c10ccdec5d7af458e726a51bb3cdc732

SHA1
0553aab8c2106abb4120353360d747b0a2b4c94f

SHA256
589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253

SHA512
7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
10KB

MD5
f73ac62e8df97faf3fc8d83e7f71bf3f

SHA1
619a6e8f7a9803a4c71f73060649903606beaf4e

SHA256
cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b

SHA512
f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

Download Submit
memory/1644-30-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/1644-46-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/1644-24-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/1644-25-0x00000000046E0000-0x0000000004716000-memory.dmp

Filesize
216KB

Download
memory/1644-27-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/1644-26-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/1644-28-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/1644-29-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/1644-31-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/1644-41-0x00000000056B0000-0x0000000005A04000-memory.dmp

Filesize
3.3MB

Download
memory/1644-42-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/1644-43-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download
memory/4244-74-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4244-71-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4244-693-0x00000000029B0000-0x00000000029FE000-memory.dmp

Filesize
312KB

Download
memory/4244-72-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4244-694-0x0000000180000000-0x0000000180076000-memory.dmp

Filesize
472KB

Download
memory/4244-73-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4244-753-0x00000000029B0000-0x00000000029FE000-memory.dmp

Filesize
312KB

Download
memory/4244-76-0x00000000029B0000-0x00000000029FE000-memory.dmp

Filesize
312KB

Download
memory/4244-75-0x00000000029B0000-0x00000000029FE000-memory.dmp

Filesize
312KB

Download
memory/4244-79-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4244-78-0x00000000029B0000-0x00000000029FE000-memory.dmp

Filesize
312KB

Download
memory/4244-77-0x00000000029B0000-0x00000000029FE000-memory.dmp

Filesize
312KB

Download
memory/4272-675-0x0000000000350000-0x00000000004D4000-memory.dmp

Filesize
1.5MB

Download
memory/4272-762-0x0000000034990000-0x00000000349A0000-memory.dmp

Filesize
64KB

Download
memory/4272-831-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-830-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-829-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-828-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-827-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-826-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-824-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-679-0x0000000004CB0000-0x0000000004CD4000-memory.dmp

Filesize
144KB

Download
memory/4272-823-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-683-0x0000000005120000-0x0000000005166000-memory.dmp

Filesize
280KB

Download
memory/4272-687-0x00000000027D0000-0x00000000027DA000-memory.dmp

Filesize
40KB

Download
memory/4272-822-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-820-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-807-0x0000000038A10000-0x0000000038A21000-memory.dmp

Filesize
68KB

Download
memory/4272-692-0x00000000053C0000-0x0000000005472000-memory.dmp

Filesize
712KB

Download
memory/4272-806-0x00000000388E0000-0x0000000038983000-memory.dmp

Filesize
652KB

Download
memory/4272-796-0x0000000036CE0000-0x0000000036D12000-memory.dmp

Filesize
200KB

Download
memory/4272-700-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-705-0x0000000005F70000-0x000000000649C000-memory.dmp

Filesize
5.2MB

Download
memory/4272-706-0x0000000005D00000-0x0000000005D22000-memory.dmp

Filesize
136KB

Download
memory/4272-707-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/4272-708-0x0000000005EB0000-0x0000000005ECA000-memory.dmp

Filesize
104KB

Download
memory/4272-709-0x0000000005EE0000-0x0000000005EEA000-memory.dmp

Filesize
40KB

Download
memory/4272-710-0x0000000005F20000-0x0000000005F46000-memory.dmp

Filesize
152KB

Download
memory/4272-711-0x0000000005ED0000-0x0000000005ED8000-memory.dmp

Filesize
32KB

Download
memory/4272-712-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

Filesize
40KB

Download
memory/4272-713-0x0000000005F00000-0x0000000005F0A000-memory.dmp

Filesize
40KB

Download
memory/4272-714-0x000000000EFE0000-0x000000000EFEA000-memory.dmp

Filesize
40KB

Download
memory/4272-715-0x000000002F920000-0x000000002F946000-memory.dmp

Filesize
152KB

Download
memory/4272-716-0x000000002F4A0000-0x000000002F4B0000-memory.dmp

Filesize
64KB

Download
memory/4272-717-0x00000000305E0000-0x0000000030672000-memory.dmp

Filesize
584KB

Download
memory/4272-722-0x000000002FFE0000-0x000000002FFE8000-memory.dmp

Filesize
32KB

Download
memory/4272-723-0x00000000306F0000-0x0000000030728000-memory.dmp

Filesize
224KB

Download
memory/4272-724-0x00000000306B0000-0x00000000306BE000-memory.dmp

Filesize
56KB

Download
memory/4272-731-0x00000000307B0000-0x00000000307C2000-memory.dmp

Filesize
72KB

Download
memory/4272-738-0x0000000033AB0000-0x0000000034054000-memory.dmp

Filesize
5.6MB

Download
memory/4272-741-0x00000000309A0000-0x00000000309A8000-memory.dmp

Filesize
32KB

Download
memory/4272-743-0x00000000309F0000-0x0000000030A04000-memory.dmp

Filesize
80KB

Download
memory/4272-744-0x0000000031F70000-0x0000000031F78000-memory.dmp

Filesize
32KB

Download
memory/4272-742-0x00000000309D0000-0x00000000309E2000-memory.dmp

Filesize
72KB

Download
memory/4272-745-0x0000000033840000-0x000000003385E000-memory.dmp

Filesize
120KB

Download
memory/4272-789-0x0000000036990000-0x00000000369DC000-memory.dmp

Filesize
304KB

Download
memory/4272-754-0x0000000034370000-0x0000000034380000-memory.dmp

Filesize
64KB

Download
memory/4272-755-0x0000000034530000-0x000000003456A000-memory.dmp

Filesize
232KB

Download
memory/4272-756-0x00000000343D0000-0x00000000343D8000-memory.dmp

Filesize
32KB

Download
memory/4272-757-0x00000000343E0000-0x00000000343F0000-memory.dmp

Filesize
64KB

Download
memory/4272-758-0x0000000034570000-0x000000003458E000-memory.dmp

Filesize
120KB

Download
memory/4272-759-0x000000006DC80000-0x000000006E6E8000-memory.dmp

Filesize
10.4MB

Download
memory/4272-760-0x00000000349A0000-0x00000000349B0000-memory.dmp

Filesize
64KB

Download
memory/4272-761-0x00000000349B0000-0x00000000349C6000-memory.dmp

Filesize
88KB

Download
memory/4272-788-0x0000000035EE0000-0x0000000035F2A000-memory.dmp

Filesize
296KB

Download
memory/4272-763-0x0000000035B10000-0x0000000035C96000-memory.dmp

Filesize
1.5MB

Download
memory/4272-778-0x0000000035CA0000-0x0000000035D16000-memory.dmp

Filesize
472KB

Download
memory/5028-546-0x0000000007AB0000-0x0000000007B53000-memory.dmp

Filesize
652KB

Download
memory/5028-550-0x0000000007E60000-0x0000000007EF6000-memory.dmp

Filesize
600KB

Download
memory/5028-532-0x0000000006B70000-0x0000000006BBC000-memory.dmp

Filesize
304KB

Download
memory/5028-534-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/5028-535-0x0000000070430000-0x000000007047C000-memory.dmp

Filesize
304KB

Download
memory/5028-545-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/5028-526-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/5028-548-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/5028-555-0x0000000007E40000-0x0000000007E48000-memory.dmp

Filesize
32KB

Download
memory/5028-549-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/5028-547-0x0000000008200000-0x000000000887A000-memory.dmp

Filesize
6.5MB

Download
memory/5028-551-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

Filesize
68KB

Download
memory/5028-552-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

Filesize
56KB

Download
memory/5028-553-0x0000000007E00000-0x0000000007E14000-memory.dmp

Filesize
80KB

Download
memory/5028-554-0x0000000007F00000-0x0000000007F1A000-memory.dmp

Filesize
104KB

Download