ac4e2d438500d0cd21f3fc269b37123dcd8c732bcf945b716b29643c411f4089

Analysis

max time kernel
139s
max time network
157s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kuai.exe
Size

31.4MB
MD5

bb1058c71041096a14109e59bdcb4e5f
SHA1

0ad3510e1e0f1e01fdd645e114f8ce743b1aed1b
SHA256

ac4e2d438500d0cd21f3fc269b37123dcd8c732bcf945b716b29643c411f4089
SHA512

f25a6cd4b741f33f10f06fad324d93b48013ffcfcb850fa50971b1b76bde381007b8bf5b0b736569ac5661e49a3e8d54b308f8f09dfbc8540b9911ee71ded99b
SSDEEP

393216:ysFBi0lwDQi8oo4zAQUi+9U8TEFzSVy6vbBYShIL6DNBjuy1K+HAfHiF3v:y+BBuEidD98TE8s6NzpS/Q

Score

10^/10

discovery evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET760.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET760.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2236	netsh.exe
2840	netsh.exe
2712	netsh.exe
1092	netsh.exe
1580	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
2928	WXWorkUpdate.exe
2816	letsvpn-latest.exe
1480	tapinstall.exe
2588	tapinstall.exe
568	tapinstall.exe
2944	LetsPRO.exe
2416	LetsPRO.exe

Loads dropped DLL 64 IoCs

pid	Process
2928	WXWorkUpdate.exe
2928	WXWorkUpdate.exe
2928	WXWorkUpdate.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2816	letsvpn-latest.exe
2944	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" /silent"	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2548	cmd.exe
1664	ARP.EXE

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\SET9A3D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\SET9ABA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\SET9A3D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\SET9ABA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\SET9ADB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\SET9ADB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Http.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.AccessControl.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ComponentModel.Primitives.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Pkcs.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\arm64\WebView2Loader.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNDomainModel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Web.WebView2.Wpf.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ComponentModel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.CompilerServices.Unsafe.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Web.WebView2.Core.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Globalization.Calendars.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.WebSockets.Client.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\NuGet.Squirrel.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Management.Automation.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\MdXaml.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\log4net.config	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ComponentModel.EventBasedAsync.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Mono.Cecil.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Memory.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.IPNetwork.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Extensions.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Primitives.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ServiceModel.Primitives.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Hardcodet.Wpf.TaskbarNotification.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Serialization.Xml.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\zh-Hant\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\SQLitePCLRaw.nativelibrary.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Collections.Specialized.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Data.OleDb.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ServiceModel.Duplex.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Text.Encoding.CodePages.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ko\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\SuperSocket.ClientEngine.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Web.WebView2.Core.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Collections.NonGeneric.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Configuration.ConfigurationManager.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Csp.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-x64\native	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\DeltaCompressionDotNet.PatchApi.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Debug.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.Thread.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\View\Assets\notification_icon.png	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe.config	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\ToastNotifications.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\microsoft.identitymodel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\pt-BR\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\zh-TW	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\DeltaCompressionDotNet.MsDelta.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Squirrel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.FileSystem.Primitives.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.FileSystem.Watcher.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.SecureString.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-arm\native\e_sqlite3.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Win32.SystemEvents.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Resources.ResourceManager.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\arm64	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ko	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.Queryable.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Newtonsoft.Json.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Text.Encoding.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.Tasks.Parallel.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Claims.dll	letsvpn-latest.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WXWorkUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2980	ipconfig.exe
2228	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	LetsPRO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c6921900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c0400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a414000000010000001400000032eb929aff3596482f284042702036915c1785e61800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3040	powershell.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1736	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	kuai.exe
Token: 33	2768	mmc.exe
Token: SeIncBasePriorityPrivilege	2768	mmc.exe
Token: 33	2768	mmc.exe
Token: SeIncBasePriorityPrivilege	2768	mmc.exe
Token: 33	1736	mmc.exe
Token: SeIncBasePriorityPrivilege	1736	mmc.exe
Token: 33	1736	mmc.exe
Token: SeIncBasePriorityPrivilege	1736	mmc.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeRestorePrivilege	2576	rundll32.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeBackupPrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2860	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2472	DrvInst.exe
Token: SeLoadDriverPrivilege	2472	DrvInst.exe
Token: SeLoadDriverPrivilege	2472	DrvInst.exe
Token: SeLoadDriverPrivilege	2472	DrvInst.exe
Token: SeRestorePrivilege	2588	tapinstall.exe
Token: SeLoadDriverPrivilege	2588	tapinstall.exe
Token: SeRestorePrivilege	1300	DrvInst.exe
Token: SeRestorePrivilege	1300	DrvInst.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe
2416	LetsPRO.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2904	kuai.exe
2904	kuai.exe
2768	mmc.exe
2768	mmc.exe
1736	mmc.exe
1736	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2860	2904	kuai.exe	29
PID 2904 wrote to memory of 2860	2904	kuai.exe	29
PID 2904 wrote to memory of 2860	2904	kuai.exe	29
PID 2860 wrote to memory of 2980	2860	cmd.exe	31
PID 2860 wrote to memory of 2980	2860	cmd.exe	31
PID 2860 wrote to memory of 2980	2860	cmd.exe	31
PID 2904 wrote to memory of 2840	2904	kuai.exe	32
PID 2904 wrote to memory of 2840	2904	kuai.exe	32
PID 2904 wrote to memory of 2840	2904	kuai.exe	32
PID 2904 wrote to memory of 2184	2904	kuai.exe	34
PID 2904 wrote to memory of 2184	2904	kuai.exe	34
PID 2904 wrote to memory of 2184	2904	kuai.exe	34
PID 2184 wrote to memory of 2852	2184	cmd.exe	36
PID 2184 wrote to memory of 2852	2184	cmd.exe	36
PID 2184 wrote to memory of 2852	2184	cmd.exe	36
PID 2184 wrote to memory of 2764	2184	cmd.exe	37
PID 2184 wrote to memory of 2764	2184	cmd.exe	37
PID 2184 wrote to memory of 2764	2184	cmd.exe	37
PID 2184 wrote to memory of 2828	2184	cmd.exe	38
PID 2184 wrote to memory of 2828	2184	cmd.exe	38
PID 2184 wrote to memory of 2828	2184	cmd.exe	38
PID 2904 wrote to memory of 2780	2904	kuai.exe	39
PID 2904 wrote to memory of 2780	2904	kuai.exe	39
PID 2904 wrote to memory of 2780	2904	kuai.exe	39
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 2768 wrote to memory of 2928	2768	mmc.exe	42
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 1736 wrote to memory of 2816	1736	mmc.exe	44
PID 2816 wrote to memory of 3040	2816	letsvpn-latest.exe	45
PID 2816 wrote to memory of 3040	2816	letsvpn-latest.exe	45
PID 2816 wrote to memory of 3040	2816	letsvpn-latest.exe	45
PID 2816 wrote to memory of 3040	2816	letsvpn-latest.exe	45
PID 2816 wrote to memory of 1480	2816	letsvpn-latest.exe	47
PID 2816 wrote to memory of 1480	2816	letsvpn-latest.exe	47
PID 2816 wrote to memory of 1480	2816	letsvpn-latest.exe	47
PID 2816 wrote to memory of 1480	2816	letsvpn-latest.exe	47
PID 2816 wrote to memory of 2588	2816	letsvpn-latest.exe	49
PID 2816 wrote to memory of 2588	2816	letsvpn-latest.exe	49
PID 2816 wrote to memory of 2588	2816	letsvpn-latest.exe	49
PID 2816 wrote to memory of 2588	2816	letsvpn-latest.exe	49
PID 2860 wrote to memory of 2576	2860	DrvInst.exe	53
PID 2860 wrote to memory of 2576	2860	DrvInst.exe	53
PID 2860 wrote to memory of 2576	2860	DrvInst.exe	53
PID 2816 wrote to memory of 2304	2816	letsvpn-latest.exe	58
PID 2816 wrote to memory of 2304	2816	letsvpn-latest.exe	58
PID 2816 wrote to memory of 2304	2816	letsvpn-latest.exe	58
PID 2816 wrote to memory of 2304	2816	letsvpn-latest.exe	58
PID 2304 wrote to memory of 2236	2304	cmd.exe	60
PID 2304 wrote to memory of 2236	2304	cmd.exe	60
PID 2304 wrote to memory of 2236	2304	cmd.exe	60
PID 2304 wrote to memory of 2236	2304	cmd.exe	60
PID 2816 wrote to memory of 2832	2816	letsvpn-latest.exe	61
PID 2816 wrote to memory of 2832	2816	letsvpn-latest.exe	61
PID 2816 wrote to memory of 2832	2816	letsvpn-latest.exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\kuai.exe
"C:\Users\Admin\AppData\Local\Temp\kuai.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2980
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\ProgramData\4NTJa.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\7bDDU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2852
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2764
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\8iVy2\0Xs71~16\s+C:\ProgramData\8iVy2\0Xs71~16\a C:\ProgramData\8iVy2\0Xs71~16\DuiLib.dll
  2⤵
  PID:2780

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768
- C:\ProgramData\8iVy2\0Xs71~16\WXWorkUpdate.exe
  "C:\ProgramData\8iVy2\0Xs71~16\WXWorkUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2928

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\ProgramData\letsvpn-latest.exe
  "C:\ProgramData\letsvpn-latest.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
    3⤵
    - Executes dropped EXE
    PID:1480
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=lets
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=lets
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=lets.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=lets.exe
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsPRO.exe
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsPRO
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall Delete rule name=LetsVPN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1580
- - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
    "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
    3⤵
    - Executes dropped EXE
    PID:568
- - C:\Program Files (x86)\letsvpn\LetsPRO.exe
    "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2944
  - - C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe
      "C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface ipv4 set interface LetsTAP metric=1
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        5⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:1664
    - - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2684

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4071ca87-112d-50d9-78f9-5b1a85f24557}\oemvista.inf" "9" "6d14a44ff" "00000000000003B8" "WinSta0\Default" "00000000000005DC" "208" "c:\program files (x86)\letsvpn\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{236f3b49-105e-4df3-166a-5b2cd43a9d30} Global\{47bbe31d-3c76-24c0-a015-2023fcb3922f} C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{63840dd4-dcd5-14f1-766c-3406775e4128}\tap0901.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E8" "00000000000005FC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "00000000000003B8" "00000000000005A0" "0000000000000608"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe.config

Filesize
26KB

MD5
6126a1ab971d6bd4761f45791af90b1e

SHA1
36013821807f6fe08fe3b60a22ec519fd3e5579c

SHA256
9b7b7ec30f305b3cd9da40662f95ed57ae89ed8afd2b11d26503e387ff3c262d

SHA512
9f74f9f4ad593980337099717ba1e6b584530ee0e192b137297961d1550a70ae3a30fc1bf3e6e670fb817682354648d610f2a542b753a61f397ccaca20908510

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\ProgramData\8iVy2\0Xs71~16\DuiLib.dll

Filesize
2.3MB

MD5
3fe2756032dd2b102b5aedc719b46d10

SHA1
1b8d2b21350f9bfe270b12d77a9f793f5eecead2

SHA256
03c2632bc7ae92e409c063e4f260b1a7199ff6cdd7ba0b0455fd1947afe79b99

SHA512
800c62ea9d22c3d044de0497775b4f9a72a360ee0e4c222e267453b7d9cf7f90754689988c684aabdcffa8f245e9e9a48a2616f22a5cccfb11e06ad70b3160ae

Download Submit
C:\ProgramData\8iVy2\0Xs71~16\SK.txt

Filesize
204KB

MD5
108f9300c28d82bcd7cedc8769e91be6

SHA1
bbd6ab51e82887e8c8b0cf1a9e55a84078075100

SHA256
e7220fe3d5e1eb97584f88e0d25af27a018d748100b3f840c697b71c1037b238

SHA512
bb7f7d6a483cb01cf69895eba967d2a3b10d4af430c1d2ff0c16f5d3194a279fe525bf344d964d44c1c16ff9df79ffcee1d4ebf28f838909eccf948dc5d70703

Download Submit
C:\ProgramData\8iVy2\0Xs71~16\WXWorkUpdate.exe

Filesize
1.2MB

MD5
919845c9609f79ce1927249ec6d541c2

SHA1
f7fb946e5895ec3aecdd25e5403ea10374744bc0

SHA256
9843402d481a895f2f43601e2bf7164eb5589f583f9b58978c61677eb17e0990

SHA512
c612f0507790fca918eab7e34817a51ae3bc935a15b200b659c1cc8aeaf9c97cfbc1203d921fe38eedc402c3b1d8f88998f8f39dbf25e845139738d50a945092

Download Submit
C:\ProgramData\8iVy2\0Xs71~16\a

Filesize
1.2MB

MD5
2e9d70be56fa937fbc8d342997a3813b

SHA1
3adce5be09b0924ba7f4e02444c9f19027e0eca3

SHA256
7388e270cc163022c540650f08823825be0076a0b25b0e7bc4bdc6319e28cf79

SHA512
7c562d88c62f5a4cbf7ba0351e5793b6363439e626e922d81145334a3523eb371f68f9d0ee117e12f055e39d09267442233a735b2a8768bbf5de048c952567d8

Download Submit
C:\ProgramData\8iVy2\0Xs71~16\s

Filesize
1.2MB

MD5
25e6c245c0b2d8f895be134bd54390d1

SHA1
41096adbc64cb7b310f7534dda521b5dec86d994

SHA256
0ce06d64d518f0df305711964a2adf8e24eb234ec1c8a2cab6f37c2a04d147bd

SHA512
36df8e9877b2cdab0a5dead00fc47cb0a1d3aee44f35424d0f8e776c3d38f9251b36ebee0444989089ba22eab52d2744f2863fcecce0e3469aee79040da3b55b

Download Submit
C:\ProgramData\letsvpn-latest.exe

Filesize
14.7MB

MD5
e039e221b48fc7c02517d127e158b89f

SHA1
79eed88061472ae590616556f31576ca13bfc7fb

SHA256
dc30e5dab15392627d30a506f6304030c581fc00716703fc31add10ff263d70b

SHA512
87231c025bb94771e89a639c9cb1528763f096059f8806227b8ab45a8f1ea5cd3d94fdc91cb20dd140b91a14904653517f7b6673a142a864a58a2726d14ae4b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0ee69af232b63531a442a0e4df65ad2b

SHA1
c2f41728333bbe807d4729ec5b41cdb2a51b8fcb

SHA256
e26490f54a4837bc78d083eeb39e6431e4eb2104ac5b90ff55c849ab28671b18

SHA512
ec16b082d0d504abd0f73385b9acdec277ba1587513f7071ec36f46c7d87e99af551367f1ed7552791018a372fcdc226e40f72404f140e89c1a2c988ee1125cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab981D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar983F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj3F52.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Users\Admin\AppData\Roaming\7bDDU.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF

Filesize
8KB

MD5
a77bad85d8d8bbae7f18809edccf3e3c

SHA1
a2696e50d17f2b7f102efe33fc777c89ccba5705

SHA256
1ad8b927d83c8e0d7417210eccd466f051f0623c2d41b62d7e7a0c2632015e9a

SHA512
8b85da1222e60190e83e6b0e8eef0c182deb243206ad2a6903317cccb4bcde504f84870e90129a7cae0e03175ce7f04c84899bca7cfaf22a9886e15e47bc7f3d

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
40c7520134b29cb89a8341bfa362f0ef

SHA1
b9c90622c58096f2168cc1bd81f051b79ca7f7d0

SHA256
406f682d74cf7244b2c3d414de2fef03887255ad8e80e33f8b61b4d7393657c8

SHA512
90b1446316d63a2063cbd8d008e6445dab2406d4ddfcc37ef0b35d684f1168d7760cae7619257f9c946906b69d39d385cf92c11b62eda61059c082b3723c76c9

Download Submit
C:\Windows\Temp\Cab9B96.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9BD7.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
326f95b1ce4061cc83f6981b20b83969

SHA1
df3aa2a3506417c76819c6f919885a3addd7feeb

SHA256
09a1d3b835e424b9cc2807fb0e5a5168398a30cb7f597d586fcc6c303969ab4b

SHA512
05f6de166623fc5bb3d0c9b8402dc6389cc29f1e4cb05a12bb17766da0325e742016d85715037ca4b4faa009ff211f47fdfc27eab09476735cc15a0c1392c571

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

Filesize
30KB

MD5
b1c405ed0434695d6fc893c0ae94770c

SHA1
79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

SHA256
4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

SHA512
635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
9KB

MD5
4fee2548578cd9f1719f84d2cb456dbf

SHA1
3070ed53d0e9c965bf1ffea82c259567a51f5d5f

SHA256
baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

SHA512
6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
bd8643e5db648810348aa0755e455b70

SHA1
119cb1fb3057d9759d0abb3dfdafc460456c1cc4

SHA256
bec6a116ea2224dd1532c6eaf20e4d61199240e55ccd0270199fbd22f2806477

SHA512
b8033d8989c66431e1771ffc6d2549a4d1e32b8612b7331e7a2931ddad3e31c8a7e1af8ef129883034b1fcf466b8ad0e1cab431cbf5c20c724f4eef53468f714

Download Submit
\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe

Filesize
1.5MB

MD5
ca72f8ead2ae568acc481f685385fb60

SHA1
887a1d53c8b61c81a80592ff62cf9cdf56b29d18

SHA256
d287af28a137d9c015531eae28815d2b0d0a53879318f104ef34e5d86e2c4618

SHA512
8da648e1363d490d6a4ee5ec9e38aec86384f345ae5fd58150b2affce8c3c208e1a55598cfe820d00e9448910598ffde29d2824275ebaafaa7d33279898a2e4c

Download Submit
\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNDomainModel.dll

Filesize
20KB

MD5
85bee1626071af1b07e79fc7963731e4

SHA1
d804e63940798891928f3ba29be85cf06fbb9769

SHA256
222f84cd3111f90b7ce045119e63678ee180ab0a7c4f48cae25f097ee425debe

SHA512
6649931736a607dceea5ec8180e07c14c331761a7dd0fa5ab4187d3302c0a51262ccce40024d6540f3453d8bdd43785c5f8d45e9c5252e097b69b30fced78832

Download Submit
\Program Files (x86)\letsvpn\app-3.11.2\Utils.dll

Filesize
126KB

MD5
8af72dc9783c52125e229f8b79afba94

SHA1
71178bc7cfced6bc5dcb45ed666cdbe2c55182dd

SHA256
68ae722154cebfb3a3ca59b135e182a68fa0d6966a089008028f97022849bbc5

SHA512
dcada700522b78fe0006e84c6599a9857269512eb65a68c0475635f76d5805c43decad74232eb39dae83f987b3dabafe07129d44cce950c8dc9efd11901599e2

Download Submit
\Program Files (x86)\letsvpn\app-3.11.2\log4net.dll

Filesize
273KB

MD5
5b9a663d7584d8e605b0c39031ec485a

SHA1
b7d86ebe4e18cb6d2a48a1c97ac6f7e39c8a9b91

SHA256
e45afce6eff080d568e3e059498f5768585143336c600011273366905f4fc635

SHA512
b02bd950384cf3d656c4b8f590013392e3028c6183aa9321bd91b6fc1f5d41b03771313ca5e3305398a60642fa14fc5a98daf3e6decba586c80861bafcbf0c64

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
\ProgramData\8iVy2\0Xs71~16\msvcp140.dll

Filesize
429KB

MD5
cfbdf284c12056347e6773cb3949fbba

SHA1
ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

SHA256
bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

SHA512
2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

Download Submit
\ProgramData\8iVy2\0Xs71~16\vcruntime140.dll

Filesize
81KB

MD5
8e65e033799eb9fd46bc5c184e7d1b85

SHA1
e1cc5313be1f7df4c43697f8f701305585fe4e71

SHA256
be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4

SHA512
e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

Download Submit
\Users\Admin\AppData\Local\Temp\nsj3F52.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj3F52.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
\Users\Admin\AppData\Local\Temp\nsj3F52.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/1300-745-0x0000000000BB0000-0x0000000000BD6000-memory.dmp

Filesize
152KB

Download
memory/2416-819-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/2416-958-0x000000000E590000-0x000000000E5A2000-memory.dmp

Filesize
72KB

Download
memory/2416-801-0x00000000020B0000-0x00000000020D4000-memory.dmp

Filesize
144KB

Download
memory/2416-1515-0x000000006BEB0000-0x000000006C918000-memory.dmp

Filesize
10.4MB

Download
memory/2416-1316-0x000000006BEB0000-0x000000006C918000-memory.dmp

Filesize
10.4MB

Download
memory/2416-805-0x00000000020E0000-0x0000000002126000-memory.dmp

Filesize
280KB

Download
memory/2416-1315-0x000000006BEB0000-0x000000006C918000-memory.dmp

Filesize
10.4MB

Download
memory/2416-810-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2416-811-0x0000000005160000-0x0000000005212000-memory.dmp

Filesize
712KB

Download
memory/2416-812-0x00000000049A0000-0x00000000049BE000-memory.dmp

Filesize
120KB

Download
memory/2416-813-0x00000000049C0000-0x00000000049DA000-memory.dmp

Filesize
104KB

Download
memory/2416-814-0x00000000049F0000-0x00000000049FA000-memory.dmp

Filesize
40KB

Download
memory/2416-815-0x0000000005220000-0x0000000005246000-memory.dmp

Filesize
152KB

Download
memory/2416-816-0x00000000047D0000-0x00000000047D8000-memory.dmp

Filesize
32KB

Download
memory/2416-817-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/2416-818-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/2416-1314-0x000000006BEB0000-0x000000006C918000-memory.dmp

Filesize
10.4MB

Download
memory/2416-820-0x0000000005B00000-0x0000000005B26000-memory.dmp

Filesize
152KB

Download
memory/2416-821-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/2416-823-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/2416-822-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/2416-797-0x0000000000B20000-0x0000000000CA4000-memory.dmp

Filesize
1.5MB

Download
memory/2416-957-0x000000000E580000-0x000000000E588000-memory.dmp

Filesize
32KB

Download
memory/2416-959-0x000000000E700000-0x000000000E714000-memory.dmp

Filesize
80KB

Download
memory/2416-960-0x000000000E760000-0x000000000E768000-memory.dmp

Filesize
32KB

Download
memory/2416-961-0x000000002E990000-0x000000002E9A2000-memory.dmp

Filesize
72KB

Download
memory/2416-970-0x000000002EE10000-0x000000002EE20000-memory.dmp

Filesize
64KB

Download
memory/2416-975-0x000000002F880000-0x000000002F8DC000-memory.dmp

Filesize
368KB

Download
memory/2416-974-0x000000002F400000-0x000000002F410000-memory.dmp

Filesize
64KB

Download
memory/2416-973-0x000000002F3E0000-0x000000002F3F6000-memory.dmp

Filesize
88KB

Download
memory/2416-976-0x0000000004820000-0x000000000483E000-memory.dmp

Filesize
120KB

Download
memory/2416-977-0x000000006BEB0000-0x000000006C918000-memory.dmp

Filesize
10.4MB

Download
memory/2416-978-0x00000000302D0000-0x0000000030302000-memory.dmp

Filesize
200KB

Download
memory/2416-979-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/2416-1092-0x000000006BEB0000-0x000000006C918000-memory.dmp

Filesize
10.4MB

Download
memory/2904-1-0x0000000180000000-0x0000000180264000-memory.dmp

Filesize
2.4MB

Download
memory/2904-2-0x0000000180000000-0x0000000180264000-memory.dmp

Filesize
2.4MB

Download
memory/2904-19-0x0000000180000000-0x0000000180264000-memory.dmp

Filesize
2.4MB

Download
memory/2904-3-0x0000000180000000-0x0000000180264000-memory.dmp

Filesize
2.4MB

Download
memory/2904-4-0x0000000180000000-0x0000000180264000-memory.dmp

Filesize
2.4MB

Download
memory/2928-29-0x0000000001F90000-0x0000000001FF9000-memory.dmp

Filesize
420KB

Download