10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9

Analysis

max time kernel
144s
max time network
157s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Size

40.6MB
MD5

4e0c73259e83e8d5f36be55d4a937307
SHA1

539d747d30c16f50ddf6b72da1426709edce5732
SHA256

10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9
SHA512

eaca63ff0faafdd6014864517a9fb92e82d970c99084d6cbf5b493b0b0ca6372541493f4c11b426c09b160369fb4da07d928d74a20078ab3e0743b54e5be99b5
SSDEEP

786432:BxAq3kvG6v0/moop9AaRDEzVARzgsBBSs7ndpTp1Z4qaNrk+0/iClRu:cqUvL8/mfACxgUBSkdvAPy6CPu

Score

10^/10

discovery evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET7002.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET7002.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsGtQhLH = "\"C:\\Program Files (x86)\\Common Files\\DsGtQhLH.lnk\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.8.0\\LetsPRO.exe\" /silent"	LetsPRO.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	pYkYZuRh.exe
File opened (read-only)	\??\K:	pYkYZuRh.exe
File opened (read-only)	\??\V:	pYkYZuRh.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	pYkYZuRh.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	pYkYZuRh.exe
File opened (read-only)	\??\P:	pYkYZuRh.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	pYkYZuRh.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	pYkYZuRh.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	pYkYZuRh.exe
File opened (read-only)	\??\Z:	pYkYZuRh.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	pYkYZuRh.exe
File opened (read-only)	\??\N:	pYkYZuRh.exe
File opened (read-only)	\??\O:	pYkYZuRh.exe
File opened (read-only)	\??\T:	pYkYZuRh.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	pYkYZuRh.exe
File opened (read-only)	\??\I:	pYkYZuRh.exe
File opened (read-only)	\??\M:	pYkYZuRh.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	pYkYZuRh.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	pYkYZuRh.exe
File opened (read-only)	\??\X:	pYkYZuRh.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1752	netsh.exe
2832	netsh.exe
2692	netsh.exe
2956	netsh.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1816	cmd.exe
1056	ARP.EXE

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5B.tmp	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Annotations.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Csp.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Primitives.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ObjectModel.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\ja\System.Web.Services.Description.resources.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\NuGet.Squirrel.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\ru\System.Web.Services.Description.resources.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\ja\System.Web.Services.Description.resources.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.MemoryMappedFiles.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Http.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.SecureString.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Pdb.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensionsAsync.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.DriveInfo.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\uninst.exe	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Json.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\arm64\WebView2Loader.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\zh-HK\LetsPRO.resources.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.PerformanceCounter.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Formatters.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XDocument.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native\e_sqlite3.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\Common Files\DsGtQhLH.lnk	msiexec.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Algorithms.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Pkcs.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Http.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Numerics.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\de\System.Web.Services.Description.resources.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\zh-Hans\System.Web.Services.Description.resources.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.PatchApi.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Handles.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.AccessControl.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.RegularExpressions.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\ru\LetsPRO.resources.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Crashes.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Annotations.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Pipes.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Primitives.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-arm\native\e_sqlite3.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.StackTrace.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.IsolatedStorage.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Duplex.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.CodePages.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\Log\20241122.log	LetsPRO.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.SecureString.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\zh-MO	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.TypeConverter.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.Extensions.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\WindowsInput.dll	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\ru	DsGtQhLH.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.AccessControl.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\1	msiexec.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Timer.dll	DsGtQhLH.exe
File created	C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.nativelibrary.dll	DsGtQhLH.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f789aeb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E53.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\f789ae8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA519.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA0F3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f789aeb.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f789ae8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1096	pYkYZuRh.exe
1616	DsGtQhLH.exe
3008	tapinstall.exe
1636	tapinstall.exe
2764	tapinstall.exe
2888	LetsPRO.exe
1652	LetsPRO.exe

Loads dropped DLL 64 IoCs

pid	Process
1916	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
1616	DsGtQhLH.exe
2888	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1716	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
392	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DsGtQhLH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pYkYZuRh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1464	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c6921900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c0400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a414000000010000001400000032eb929aff3596482f284042702036915c1785e61800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LetsPRO.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	LetsPRO.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	msiexec.exe
1184	msiexec.exe
1096	pYkYZuRh.exe
1716	powershell.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1096	pYkYZuRh.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1096	pYkYZuRh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	392	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeSecurityPrivilege	1184	msiexec.exe
Token: SeCreateTokenPrivilege	392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	392	msiexec.exe
Token: SeLockMemoryPrivilege	392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	392	msiexec.exe
Token: SeMachineAccountPrivilege	392	msiexec.exe
Token: SeTcbPrivilege	392	msiexec.exe
Token: SeSecurityPrivilege	392	msiexec.exe
Token: SeTakeOwnershipPrivilege	392	msiexec.exe
Token: SeLoadDriverPrivilege	392	msiexec.exe
Token: SeSystemProfilePrivilege	392	msiexec.exe
Token: SeSystemtimePrivilege	392	msiexec.exe
Token: SeProfSingleProcessPrivilege	392	msiexec.exe
Token: SeIncBasePriorityPrivilege	392	msiexec.exe
Token: SeCreatePagefilePrivilege	392	msiexec.exe
Token: SeCreatePermanentPrivilege	392	msiexec.exe
Token: SeBackupPrivilege	392	msiexec.exe
Token: SeRestorePrivilege	392	msiexec.exe
Token: SeShutdownPrivilege	392	msiexec.exe
Token: SeDebugPrivilege	392	msiexec.exe
Token: SeAuditPrivilege	392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	392	msiexec.exe
Token: SeChangeNotifyPrivilege	392	msiexec.exe
Token: SeRemoteShutdownPrivilege	392	msiexec.exe
Token: SeUndockPrivilege	392	msiexec.exe
Token: SeSyncAgentPrivilege	392	msiexec.exe
Token: SeEnableDelegationPrivilege	392	msiexec.exe
Token: SeManageVolumePrivilege	392	msiexec.exe
Token: SeImpersonatePrivilege	392	msiexec.exe
Token: SeCreateGlobalPrivilege	392	msiexec.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe
Token: SeBackupPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeLoadDriverPrivilege	2760	DrvInst.exe
Token: SeLoadDriverPrivilege	2760	DrvInst.exe
Token: SeLoadDriverPrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeRestorePrivilege	1184	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
392	msiexec.exe
392	msiexec.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe
1652	LetsPRO.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1096	pYkYZuRh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1916	1184	msiexec.exe	33
PID 1184 wrote to memory of 1096	1184	msiexec.exe	34
PID 1184 wrote to memory of 1096	1184	msiexec.exe	34
PID 1184 wrote to memory of 1096	1184	msiexec.exe	34
PID 1184 wrote to memory of 1096	1184	msiexec.exe	34
PID 1184 wrote to memory of 1616	1184	msiexec.exe	35
PID 1184 wrote to memory of 1616	1184	msiexec.exe	35
PID 1184 wrote to memory of 1616	1184	msiexec.exe	35
PID 1184 wrote to memory of 1616	1184	msiexec.exe	35
PID 1616 wrote to memory of 1716	1616	DsGtQhLH.exe	37
PID 1616 wrote to memory of 1716	1616	DsGtQhLH.exe	37
PID 1616 wrote to memory of 1716	1616	DsGtQhLH.exe	37
PID 1616 wrote to memory of 1716	1616	DsGtQhLH.exe	37
PID 1616 wrote to memory of 3008	1616	DsGtQhLH.exe	39
PID 1616 wrote to memory of 3008	1616	DsGtQhLH.exe	39
PID 1616 wrote to memory of 3008	1616	DsGtQhLH.exe	39
PID 1616 wrote to memory of 3008	1616	DsGtQhLH.exe	39
PID 1616 wrote to memory of 1636	1616	DsGtQhLH.exe	41
PID 1616 wrote to memory of 1636	1616	DsGtQhLH.exe	41
PID 1616 wrote to memory of 1636	1616	DsGtQhLH.exe	41
PID 1616 wrote to memory of 1636	1616	DsGtQhLH.exe	41
PID 1112 wrote to memory of 2104	1112	DrvInst.exe	45
PID 1112 wrote to memory of 2104	1112	DrvInst.exe	45
PID 1112 wrote to memory of 2104	1112	DrvInst.exe	45
PID 1616 wrote to memory of 2172	1616	DsGtQhLH.exe	48
PID 1616 wrote to memory of 2172	1616	DsGtQhLH.exe	48
PID 1616 wrote to memory of 2172	1616	DsGtQhLH.exe	48
PID 1616 wrote to memory of 2172	1616	DsGtQhLH.exe	48
PID 2172 wrote to memory of 1752	2172	cmd.exe	50
PID 2172 wrote to memory of 1752	2172	cmd.exe	50
PID 2172 wrote to memory of 1752	2172	cmd.exe	50
PID 2172 wrote to memory of 1752	2172	cmd.exe	50
PID 1616 wrote to memory of 1572	1616	DsGtQhLH.exe	51
PID 1616 wrote to memory of 1572	1616	DsGtQhLH.exe	51
PID 1616 wrote to memory of 1572	1616	DsGtQhLH.exe	51
PID 1616 wrote to memory of 1572	1616	DsGtQhLH.exe	51
PID 1572 wrote to memory of 2832	1572	cmd.exe	53
PID 1572 wrote to memory of 2832	1572	cmd.exe	53
PID 1572 wrote to memory of 2832	1572	cmd.exe	53
PID 1572 wrote to memory of 2832	1572	cmd.exe	53
PID 1616 wrote to memory of 1128	1616	DsGtQhLH.exe	54
PID 1616 wrote to memory of 1128	1616	DsGtQhLH.exe	54
PID 1616 wrote to memory of 1128	1616	DsGtQhLH.exe	54
PID 1616 wrote to memory of 1128	1616	DsGtQhLH.exe	54
PID 1128 wrote to memory of 2692	1128	cmd.exe	56
PID 1128 wrote to memory of 2692	1128	cmd.exe	56
PID 1128 wrote to memory of 2692	1128	cmd.exe	56
PID 1128 wrote to memory of 2692	1128	cmd.exe	56
PID 1616 wrote to memory of 2112	1616	DsGtQhLH.exe	57
PID 1616 wrote to memory of 2112	1616	DsGtQhLH.exe	57
PID 1616 wrote to memory of 2112	1616	DsGtQhLH.exe	57
PID 1616 wrote to memory of 2112	1616	DsGtQhLH.exe	57
PID 2112 wrote to memory of 2956	2112	cmd.exe	59
PID 2112 wrote to memory of 2956	2112	cmd.exe	59
PID 2112 wrote to memory of 2956	2112	cmd.exe	59
PID 2112 wrote to memory of 2956	2112	cmd.exe	59
PID 1616 wrote to memory of 2764	1616	DsGtQhLH.exe	60
PID 1616 wrote to memory of 2764	1616	DsGtQhLH.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- UAC bypass
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5F5DB85C086DB8117A7155C1738DE34
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Program Files (x86)\pYkYZuRh.exe
  "C:\Program Files (x86)\pYkYZuRh.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1096
- C:\Program Files (x86)\DsGtQhLH.exe
  "C:\Program Files (x86)\DsGtQhLH.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1716
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=lets
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=lets
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=lets.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=lets.exe
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsPRO.exe
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsPRO
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2956
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
    3⤵
    - Executes dropped EXE
    PID:2764
- - C:\Program Files (x86)\letsvpn\LetsPRO.exe
    "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2888
  - - C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe
      "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"
      4⤵
      Adds Run key to start application
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface ipv4 set interface LetsTAP metric=1
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        5⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:1816
      - C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:1056
    - - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "0000000000000564"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4785cad3-e345-1789-9bad-3f4a3d8f383f}\oemvista.inf" "9" "6d14a44ff" "0000000000000574" "WinSta0\Default" "00000000000003DC" "208" "c:\program files (x86)\letsvpn\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5c471caf-e6b1-16ef-f1bb-3b035b645212} Global\{367e1d7d-a35c-68f7-18f9-aa28a85b602c} C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.cat
  2⤵
  PID:2104

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000060" "0000000000000608"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1448

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "0000000000000574" "00000000000005FC" "0000000000000608"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f789aec.rbs

Filesize
5KB

MD5
e378f8903b614f0bf3477268917ef72d

SHA1
baf28e5621b13557779e61d03ec59d771459c155

SHA256
ae728743388e6c7905dacefabfd51f76868a7f5a92f8cb4a65c96c8c7dc20275

SHA512
0fc187ca054f57ae73e8929903c8eb9a739298b588b6a3183a21a1e7ff6af270ab425feb37608d6fed70dd502234d82f74e060fcef09a0f7f51e803eb8c49653

Download Submit
C:\Program Files (x86)\1

Filesize
6.0MB

MD5
a589ea47d27781243203497042014ee3

SHA1
02af54d118fdb181247e76a79a3acfbb074bf6ea

SHA256
d25b465e1a59b452605512566d4417cb44a72d07b989f8cb276849bf4f66ac52

SHA512
baed6eda05efb91f65812e117730bd3d6587166667dc3b7e2f1f3c802a713829b5b6c9c0287fe37267e4a4a5f941776aa49adcbe45ffa1da99e9b73c99b0a09e

Download Submit
C:\Program Files (x86)\Common Files\DsGtQhLH.lnk

Filesize
878B

MD5
20b022ca5682bad9fc77a100531b7b43

SHA1
0f0348527ffe70907e0189696ffee55547c88868

SHA256
6fe31003727b98e901d31dd75309bc4d46dc2670e2315544b8e459bba41b5473

SHA512
349af6776f2552935f4208c2f605f8348ee5b3e3ffda9dd25749f2337f190bae3c0d395991961a9776cbe5b8858df4f8c7eb00766e21bc5fcd1517c68e569311

Download Submit
C:\Program Files (x86)\DsGtQhLH.exe

Filesize
14.5MB

MD5
9c44be4ceac0c983a812fd8459511fd0

SHA1
bd5aaad4acd523cd2855e8b50a8380365d81e041

SHA256
b6750a3631413d71d7ea10292a11e5d0560afb6ccd4ad4baa75d7dc80842f153

SHA512
372ddeb1045d49e8f98f17bccffb0e3edc2179e541f8a4493300517327e514c7bf64557250e0f84f7366310a3d7a58a8d5480596f9be075b3f5d9411a49b4d09

Download Submit
C:\Program Files (x86)\MSVCP100.dll

Filesize
412KB

MD5
ed40615aa67499e2d2da8389ba9b331a

SHA1
09780d2c9d75878f7a9bb94599f3dc9386cf3789

SHA256
cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

SHA512
47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

Download Submit
C:\Program Files (x86)\MSVCR100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe

Filesize
1.4MB

MD5
38973dbbfad9619fde39fab919eb9a04

SHA1
09c0b7ec430092c41a576565d8cf8e9df40e12fe

SHA256
e7806cd45b774d640bfd1f92e0893d28b87117a9dc25edb490da4449d57ca8ac

SHA512
fed73ef38f0008ab93589a6f525866a3f73ce9b090e41482dc4933dadc6f1bce1a26990e8f44704e934528d71e6887d0d44bb38f8b5402cf4c9b2880f16eea67

Download Submit
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe.config

Filesize
22KB

MD5
3b1d12693ee14f307d7e8b1f08ae23c0

SHA1
82719e54b457a4e5cc57b33714e67fc0305b6e90

SHA256
0b2a37670105e8d30fe0c4aecfad876f669663834a6c91bc89e309fb609032b7

SHA512
ac7b99e0fb2e7d656dfc8e5df1fad58e4446c854e6d1d05a48dbd5fe93ab4978c3b206d828d8bcfc874eff0981886be4ae72e063aaccf895959d7cd5456a5e95

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
C:\Program Files (x86)\libcurl.dll

Filesize
19.4MB

MD5
9ff980feb6fccdb08ab3fe6fc5e428f1

SHA1
3c60d0fa914291da59a3cc883becd0ea26c1f26a

SHA256
d0cdc6b3747195a88b6918926f488215396970aa342e14d6ea819919d274a381

SHA512
989d76d721963f46386350c08b4e7a50a52e16d9fc92bc13c7f1fa20997a9aa35a8f144564af9f483b0e3f2fd32d436adfa84cb8638e9c408a79960b6da38618

Download Submit
C:\Program Files (x86)\pYkYZuRh.exe

Filesize
129KB

MD5
7ea6be30e745e9556c017439c5e83273

SHA1
4e36ae4f8bb1c6a438f8cc6952ec840415b5d9f2

SHA256
5a3e4e68ffa8e8796ec0ff3d01473ceafa070dc533a1c268d073ee7abd6c8021

SHA512
0a17f4e6e60932282cb28823a77c5ebef7a8c8ee472f00c9ef9eebb0481886647faa698f2c2e193db095c6467f6e41307aff96030fadd3072ba700c1e1e45724

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
50bbdd18853ba060a6b5e3ccc993f22b

SHA1
48cb1663cf0429db05c974970bff55670b296f04

SHA256
9b960712d37bbda946ce840eeef2d299232b7e40c96b0a5e15f1db5e103f24d6

SHA512
b462116da520298f6cddc6bcd8c1aca14e94ca354ace8017f9f3f49637acde562b0466215a52f92030be88deb9aa3d5b149bd96df1a4d80dfadde5b4b41ba394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab27FC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar281F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB118.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF

Filesize
8KB

MD5
c703871ed483fed1b9f8912f2cc6a918

SHA1
6584a63dba15d50f843e3415978792a1c89ae770

SHA256
d47297606ef52d61be79e765e8606d67bfef363ee1745c7848ca148f4f36c5f9

SHA512
b3ab7b37f40ac00d141edfc024a4c6b27fdbf2390f190da4f0e8644d5ffad069a1ca144bde1b00c7e71d20886b701186bd992e9cc283649e4c7887bf13c6f50c

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
1effae4c5442cf75e7f1675525c74c46

SHA1
85d5256f13d88403e4b742b3ae4ec87b5395f70b

SHA256
cdaaba5e4e2c97577a5c39160be5978ee61b4aad261f5db492ecfeb97114758a

SHA512
da873b03035f0da64a35489cb39f8ff83d2b150e625406e543c308de4d041a6f99bca0d89c1078422ec8ab58ade340e8418ff16c591451017dc00f6b3a4cc34b

Download Submit
C:\Windows\Temp\Cab2A9B.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar2ADD.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
9c70c57bd0f63094ca036bb2b4c5ea2a

SHA1
6f26dd6be73f3f78ae5d8c89425351afbe967f55

SHA256
2dae52e378374571ed09836122b04ba934dd6023c13051ecfe9ca06486a49d86

SHA512
52bab7eb115f7e60a993d1593e112ca7ac580ffb656e8b7b5b40a2063e9be4ea14af2d17a9210f091bf026992f6e592f9ee002c4cb75c9b8f00432a1fb10db85

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

Filesize
30KB

MD5
b1c405ed0434695d6fc893c0ae94770c

SHA1
79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

SHA256
4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

SHA512
635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
9KB

MD5
4fee2548578cd9f1719f84d2cb456dbf

SHA1
3070ed53d0e9c965bf1ffea82c259567a51f5d5f

SHA256
baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

SHA512
6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
ea9e2f517b1cc2dbe7f78302dd7fb593

SHA1
cb326eeee062bfc20be4d07fa989b001811fc03c

SHA256
b1037f963c91ab0f586349d5aede8e25686784f46f031dfc422e0d69a9939f48

SHA512
d8d38e5243ff8f8e3f790c3587bf0360afd7dd185886da86ad7ad6111eed121e91eca18bac9563ea4e6984c46f88639f58a2073884567ca982383ec2cf32f0eb

Download Submit
\Program Files (x86)\letsvpn\app-3.8.0\Utils.dll

Filesize
126KB

MD5
d615a49b867921d097b87f5653d06da8

SHA1
9475f5bd2517a71d68388f04a247725814bb0a39

SHA256
ca0a071afff810cae52cce1def9456d4ddb8ca1a165a4b0aae16951a6f337542

SHA512
1986d66a9638d0cc998ee0534fe9443a41f8988aca226770934c5a9b7157931ec8c456ff0034ec63ef32da842d6bae31d97003ab5d65f3a7e51c2773dc758cbe

Download Submit
\Users\Admin\AppData\Local\Temp\nspB118.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nspB118.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nspB118.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Windows\Installer\MSI9E53.tmp

Filesize
408KB

MD5
0901970c2066aed8a97d75aaf1fd3146

SHA1
f0c700a4bfcebad9843e01a88bab71b5f38996d8

SHA256
41f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773

SHA512
00e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733

Download Submit
memory/1096-102-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1096-80-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1096-110-0x00000000029F0000-0x0000000002A28000-memory.dmp

Filesize
224KB

Download
memory/1096-111-0x00000000029F0000-0x0000000002A28000-memory.dmp

Filesize
224KB

Download
memory/1096-105-0x00000000029F0000-0x0000000002A28000-memory.dmp

Filesize
224KB

Download
memory/1096-103-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1096-104-0x00000000029F0000-0x0000000002A28000-memory.dmp

Filesize
224KB

Download
memory/1096-101-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1096-99-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1096-100-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1096-88-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1096-85-0x0000000010000000-0x0000000011E5A000-memory.dmp

Filesize
30.4MB

Download
memory/1096-84-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1096-75-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1096-77-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1096-79-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1096-82-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1096-123-0x0000000003430000-0x0000000003D57000-memory.dmp

Filesize
9.2MB

Download
memory/1652-890-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1652-1036-0x0000000006180000-0x0000000006194000-memory.dmp

Filesize
80KB

Download
memory/1652-884-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1652-885-0x0000000005210000-0x00000000052C2000-memory.dmp

Filesize
712KB

Download
memory/1652-886-0x0000000000D50000-0x0000000000D6E000-memory.dmp

Filesize
120KB

Download
memory/1652-887-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

Filesize
104KB

Download
memory/1652-888-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/1652-889-0x0000000001350000-0x0000000001376000-memory.dmp

Filesize
152KB

Download
memory/1652-891-0x00000000049D0000-0x00000000049DA000-memory.dmp

Filesize
40KB

Download
memory/1652-882-0x00000000001F0000-0x0000000000214000-memory.dmp

Filesize
144KB

Download
memory/1652-892-0x00000000049F0000-0x00000000049FA000-memory.dmp

Filesize
40KB

Download
memory/1652-893-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/1652-895-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/1652-894-0x00000000052E0000-0x0000000005306000-memory.dmp

Filesize
152KB

Download
memory/1652-897-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/1652-896-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/1652-974-0x0000000005A50000-0x0000000005A62000-memory.dmp

Filesize
72KB

Download
memory/1652-883-0x0000000000230000-0x0000000000276000-memory.dmp

Filesize
280KB

Download
memory/1652-1035-0x0000000006150000-0x0000000006162000-memory.dmp

Filesize
72KB

Download
memory/1652-1034-0x0000000006020000-0x0000000006028000-memory.dmp

Filesize
32KB

Download
memory/1652-1037-0x00000000061A0000-0x00000000061A8000-memory.dmp

Filesize
32KB

Download
memory/1652-1040-0x000000006BAE0000-0x000000006C547000-memory.dmp

Filesize
10.4MB

Download
memory/1652-1043-0x000000002F2B0000-0x000000002F2C0000-memory.dmp

Filesize
64KB

Download
memory/1652-1046-0x000000002F3A0000-0x000000002F3B6000-memory.dmp

Filesize
88KB

Download
memory/1652-1047-0x000000002F480000-0x000000002F490000-memory.dmp

Filesize
64KB

Download
memory/1652-1050-0x000000002F8D0000-0x000000002F92C000-memory.dmp

Filesize
368KB

Download
memory/1652-1053-0x000000000E960000-0x000000000E97E000-memory.dmp

Filesize
120KB

Download
memory/1652-1054-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/1652-1055-0x000000002F310000-0x000000002F342000-memory.dmp

Filesize
200KB

Download
memory/1652-1056-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/1652-1113-0x000000006BAE0000-0x000000006C547000-memory.dmp

Filesize
10.4MB

Download
memory/1652-1280-0x000000006BAE0000-0x000000006C547000-memory.dmp

Filesize
10.4MB

Download
memory/1652-1392-0x000000006BAE0000-0x000000006C547000-memory.dmp

Filesize
10.4MB

Download
memory/1652-1393-0x000000006BAE0000-0x000000006C547000-memory.dmp

Filesize
10.4MB

Download
memory/1652-878-0x0000000001380000-0x00000000014EE000-memory.dmp

Filesize
1.4MB

Download
memory/2032-826-0x0000000000CB0000-0x0000000000CD6000-memory.dmp

Filesize
152KB

Download