Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 02:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe
Resource
win7-20240903-en
windows7-x64
36 signatures
150 seconds
Behavioral task
behavioral2
Sample
72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
38 signatures
150 seconds
General
-
Target
72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe
-
Size
15.4MB
-
MD5
af2833e834f0075925efd5def71dfedc
-
SHA1
2b96c972ef54296998a4c032b093f33527e2bf2f
-
SHA256
72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0
-
SHA512
6f00a417331200aff6d6633063a1713e6ea83b9f202bde9693c456cac56242937d27282dbe7fcf3b8b117b7241406d672796baac5abe85f2a6dab0d5df6e9a9a
-
SSDEEP
196608:CVcPiSoR+91pUGjq941X4bZWF321bkADocBk1QujqrKUy5PT7V/jp6siiqc0jV7H:Su1f1XLg1EGkHe0TBN6sivhJyS7Z9
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2528-33-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit behavioral1/memory/2864-46-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2528-33-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat behavioral1/memory/2864-46-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe File opened for modification C:\Windows\system32\DRIVERS\SET1D50.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET1D50.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe -
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 1828 netsh.exe 1272 netsh.exe 1712 netsh.exe 2260 netsh.exe 2876 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 8 IoCs
pid Process 2392 letsvpn-latest.exe 2528 svchost.exe 2864 sainbox.exe 1108 tapinstall.exe 1684 tapinstall.exe 2700 tapinstall.exe 620 LetsPRO.exe 2796 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2528 svchost.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 2392 letsvpn-latest.exe 620 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" /silent" LetsPRO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\M: sainbox.exe -
pid Process 1680 cmd.exe 1212 ARP.EXE -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\SETF549.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\SETF548.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\SETF549.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\SETF538.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\SETF538.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\SETF548.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat tapinstall.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\SQLite-net.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.ThreadPool.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.NameResolution.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Principal.Windows.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\ru\System.Web.Services.Description.resources.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-x86\native\e_sqlite3.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\it\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\ja letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.WebSockets.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\arm64 letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Requests.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-x86\native letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNDomainModel.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Debug.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.UnmanagedMemoryStream.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.InteropServices.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Principal.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\microsoft.identitymodel.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Data.Odbc.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Tools.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Sockets.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\DeltaCompressionDotNet.MsDelta.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\Mono.Cecil.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\ToastNotifications.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.TraceSource.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.AccessControl.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Serialization.Primitives.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Csp.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.IsolatedStorage.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.WebHeaderCollection.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Configuration.ConfigurationManager.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Console.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.FileSystem.AccessControl.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\ja\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\zh-HK\LetsPRO.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\zh-TW letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\NuGet.Squirrel.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\SQLitePCLRaw.core.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.Tasks.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\zh-CN\LetsPRO.resources.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\FontAwesome.WPF.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.ServiceModel.Security.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Csp.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Encoding.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.ReaderWriter.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.StackTrace.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Security.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.XmlSerializer.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe.config letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Text.Encoding.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.InteropServices.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Pkcs.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\ToastNotifications.Messages.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\pl\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\CommunityToolkit.Mvvm.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Console.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.XPath.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-x86\native\e_sqlite3.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.11.2\System.Collections.Concurrent.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Contracts.dll letsvpn-latest.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\svchost.exe 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe File opened for modification C:\Windows\svchost.exe 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe File opened for modification C:\Windows\svchost.exe svchost.exe File opened for modification C:\Windows\INF\setupapi.app.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\__tmp_rar_sfx_access_check_259433703 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\letsvpn-latest.exe 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File created C:\Windows\letsvpn-latest.exe 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe -
pid Process 2884 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language letsvpn-latest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2788 cmd.exe 2848 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2932 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516." DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks." DrvInst.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" \"%1\"" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2 LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe" LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\",1" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command LetsPRO.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e LetsPRO.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c6921900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c0400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a414000000010000001400000032eb929aff3596482f284042702036915c1785e61800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 LetsPRO.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 LetsPRO.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2848 PING.EXE -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2884 powershell.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2864 sainbox.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 2864 sainbox.exe 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2528 svchost.exe Token: SeLoadDriverPrivilege 2864 sainbox.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeRestorePrivilege 2340 rundll32.exe Token: SeBackupPrivilege 2720 vssvc.exe Token: SeRestorePrivilege 2720 vssvc.exe Token: SeAuditPrivilege 2720 vssvc.exe Token: SeBackupPrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 1684 tapinstall.exe Token: SeLoadDriverPrivilege 1684 tapinstall.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeRestorePrivilege 2316 DrvInst.exe Token: SeLoadDriverPrivilege 2316 DrvInst.exe Token: SeDebugPrivilege 2796 LetsPRO.exe Token: 33 2864 sainbox.exe Token: SeIncBasePriorityPrivilege 2864 sainbox.exe Token: 33 2864 sainbox.exe Token: SeIncBasePriorityPrivilege 2864 sainbox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe 2796 LetsPRO.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2392 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 30 PID 2120 wrote to memory of 2528 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 31 PID 2120 wrote to memory of 2528 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 31 PID 2120 wrote to memory of 2528 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 31 PID 2120 wrote to memory of 2528 2120 72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe 31 PID 2392 wrote to memory of 2884 2392 letsvpn-latest.exe 32 PID 2392 wrote to memory of 2884 2392 letsvpn-latest.exe 32 PID 2392 wrote to memory of 2884 2392 letsvpn-latest.exe 32 PID 2392 wrote to memory of 2884 2392 letsvpn-latest.exe 32 PID 2528 wrote to memory of 2864 2528 svchost.exe 34 PID 2528 wrote to memory of 2864 2528 svchost.exe 34 PID 2528 wrote to memory of 2864 2528 svchost.exe 34 PID 2528 wrote to memory of 2864 2528 svchost.exe 34 PID 2528 wrote to memory of 2788 2528 svchost.exe 35 PID 2528 wrote to memory of 2788 2528 svchost.exe 35 PID 2528 wrote to memory of 2788 2528 svchost.exe 35 PID 2528 wrote to memory of 2788 2528 svchost.exe 35 PID 2788 wrote to memory of 2848 2788 cmd.exe 37 PID 2788 wrote to memory of 2848 2788 cmd.exe 37 PID 2788 wrote to memory of 2848 2788 cmd.exe 37 PID 2788 wrote to memory of 2848 2788 cmd.exe 37 PID 2392 wrote to memory of 1108 2392 letsvpn-latest.exe 39 PID 2392 wrote to memory of 1108 2392 letsvpn-latest.exe 39 PID 2392 wrote to memory of 1108 2392 letsvpn-latest.exe 39 PID 2392 wrote to memory of 1108 2392 letsvpn-latest.exe 39 PID 2392 wrote to memory of 1684 2392 letsvpn-latest.exe 41 PID 2392 wrote to memory of 1684 2392 letsvpn-latest.exe 41 PID 2392 wrote to memory of 1684 2392 letsvpn-latest.exe 41 PID 2392 wrote to memory of 1684 2392 letsvpn-latest.exe 41 PID 2908 wrote to memory of 2340 2908 DrvInst.exe 44 PID 2908 wrote to memory of 2340 2908 DrvInst.exe 44 PID 2908 wrote to memory of 2340 2908 DrvInst.exe 44 PID 2720 wrote to memory of 1512 2720 vssvc.exe 48 PID 2720 wrote to memory of 1512 2720 vssvc.exe 48 PID 2720 wrote to memory of 1512 2720 vssvc.exe 48 PID 2392 wrote to memory of 1772 2392 letsvpn-latest.exe 50 PID 2392 wrote to memory of 1772 2392 letsvpn-latest.exe 50 PID 2392 wrote to memory of 1772 2392 letsvpn-latest.exe 50 PID 2392 wrote to memory of 1772 2392 letsvpn-latest.exe 50 PID 1772 wrote to memory of 1828 1772 cmd.exe 52 PID 1772 wrote to memory of 1828 1772 cmd.exe 52 PID 1772 wrote to memory of 1828 1772 cmd.exe 52 PID 1772 wrote to memory of 1828 1772 cmd.exe 52 PID 2392 wrote to memory of 1696 2392 letsvpn-latest.exe 53 PID 2392 wrote to memory of 1696 2392 letsvpn-latest.exe 53 PID 2392 wrote to memory of 1696 2392 letsvpn-latest.exe 53 PID 2392 wrote to memory of 1696 2392 letsvpn-latest.exe 53 PID 1696 wrote to memory of 1272 1696 cmd.exe 55 PID 1696 wrote to memory of 1272 1696 cmd.exe 55 PID 1696 wrote to memory of 1272 1696 cmd.exe 55 PID 1696 wrote to memory of 1272 1696 cmd.exe 55 PID 2392 wrote to memory of 1496 2392 letsvpn-latest.exe 56 PID 2392 wrote to memory of 1496 2392 letsvpn-latest.exe 56 PID 2392 wrote to memory of 1496 2392 letsvpn-latest.exe 56 PID 2392 wrote to memory of 1496 2392 letsvpn-latest.exe 56 PID 1496 wrote to memory of 1712 1496 cmd.exe 58 PID 1496 wrote to memory of 1712 1496 cmd.exe 58 PID 1496 wrote to memory of 1712 1496 cmd.exe 58 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe"C:\Users\Admin\AppData\Local\Temp\72647cc37c58f07c6e3a2ce90fcc04ae73f76ff02d9e6a0238ac7fe2222ddda0.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\letsvpn-latest.exe"C:\Windows\letsvpn-latest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
PID:1108
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsVPN3⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsVPN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2876
-
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
PID:2700
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:620 -
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=15⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set interface LetsTAP metric=16⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:408
-
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2076
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1212
-
-
-
-
-
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe"3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2848
-
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7b167aae-448a-2595-3c68-133060185678}\oemvista.inf" "9" "6d14a44ff" "00000000000005E0" "WinSta0\Default" "00000000000004C4" "208" "c:\program files (x86)\letsvpn\driver"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{45526fc7-dda3-35c4-1538-ad621408da05} Global\{0cb0593e-ff89-633a-554a-1c1d52d60939} C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{0e95aaeb-5491-2878-1408-da051af4a144}\tap0901.cat2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2720 -s 5402⤵PID:1512
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "00000000000005E0" "0000000000000590" "00000000000005DC"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1536
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Discovery
Network Service Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5143351606a574d84328219a7c18c7219
SHA18e47c7b530f40553f4a88daff11d78255cc77730
SHA256cbe3b5714c52ad9ff8885d9893c9ed77ad54485a7c5bae3a75151c06d3ae7c4f
SHA512b4698855a37639cac6dd4c400d11028bba1433f43e811e23881a72f7875048c77cf0dbd8bab8c0374ae7182fe41f37f69f5942d770fbbead86b12805b6647291
-
Filesize
1.5MB
MD5ca72f8ead2ae568acc481f685385fb60
SHA1887a1d53c8b61c81a80592ff62cf9cdf56b29d18
SHA256d287af28a137d9c015531eae28815d2b0d0a53879318f104ef34e5d86e2c4618
SHA5128da648e1363d490d6a4ee5ec9e38aec86384f345ae5fd58150b2affce8c3c208e1a55598cfe820d00e9448910598ffde29d2824275ebaafaa7d33279898a2e4c
-
Filesize
26KB
MD56126a1ab971d6bd4761f45791af90b1e
SHA136013821807f6fe08fe3b60a22ec519fd3e5579c
SHA2569b7b7ec30f305b3cd9da40662f95ed57ae89ed8afd2b11d26503e387ff3c262d
SHA5129f74f9f4ad593980337099717ba1e6b584530ee0e192b137297961d1550a70ae3a30fc1bf3e6e670fb817682354648d610f2a542b753a61f397ccaca20908510
-
Filesize
20KB
MD585bee1626071af1b07e79fc7963731e4
SHA1d804e63940798891928f3ba29be85cf06fbb9769
SHA256222f84cd3111f90b7ce045119e63678ee180ab0a7c4f48cae25f097ee425debe
SHA5126649931736a607dceea5ec8180e07c14c331761a7dd0fa5ab4187d3302c0a51262ccce40024d6540f3453d8bdd43785c5f8d45e9c5252e097b69b30fced78832
-
Filesize
693KB
MD533a3c1df70cfab1888a4b20565515f81
SHA1c1bfab7454dda45074a6e2b9ae4e9a2712830af6
SHA2560c3c293507c487b76021baaded76defb0fecaf01c1327a448a9b756987595a9e
SHA51276d3e0c34c5e793283910f93af3693355abdd374cf50234496cf3bbebf82a381113fbb4d53ad469f2f5a001b2cb96c761310a3825f8973ae61a4e8b59061cb28
-
Filesize
1KB
MD57a7521bc7f838610905ce0286324ce39
SHA18ab90dd0c4b6edb79a6af2233340d0f59e9ac195
SHA2562a322178557c88cc3c608101e8fc84bfd2f8fa9b81483a443bb3d09779de218d
SHA512b25dfdce0977eaf7159df5eabe4b147a6c0adac39c84d1c7a9fe748446a10c8d2e20d04cf36221057aa210633df65f2a460821c8c79a2db16c912ec53a714d83
-
Filesize
273KB
MD55b9a663d7584d8e605b0c39031ec485a
SHA1b7d86ebe4e18cb6d2a48a1c97ac6f7e39c8a9b91
SHA256e45afce6eff080d568e3e059498f5768585143336c600011273366905f4fc635
SHA512b02bd950384cf3d656c4b8f590013392e3028c6183aa9321bd91b6fc1f5d41b03771313ca5e3305398a60642fa14fc5a98daf3e6decba586c80861bafcbf0c64
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD53629c34891546da446becc34a3873212
SHA1fa22477c63494c8175aaef0bd84188a8634a8c78
SHA2568836c41c53921428ab782792949f977e70fc5c828e3ab9e9aa13cf8fdfdbdb50
SHA512c00d13e4e1994ed05407804c370a7be2427f55fb6d86395342f0f9f5793b11f810c1861d7ad361ca3e8e7b1b626bf8148d3406a53e5afccc8da0c12aaa804795
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF
Filesize8KB
MD5a77bad85d8d8bbae7f18809edccf3e3c
SHA1a2696e50d17f2b7f102efe33fc777c89ccba5705
SHA2561ad8b927d83c8e0d7417210eccd466f051f0623c2d41b62d7e7a0c2632015e9a
SHA5128b85da1222e60190e83e6b0e8eef0c182deb243206ad2a6903317cccb4bcde504f84870e90129a7cae0e03175ce7f04c84899bca7cfaf22a9886e15e47bc7f3d
-
Filesize
1.4MB
MD5a858d3e0e968bcf381296f35fec99557
SHA15f1ad758ded6c584986345b1a98875cc5be88753
SHA256ae23144bee4fbd29c9711b61a4f35c5e2de893f8b9763214cd5812e7909420df
SHA512e0c53c9bb66ec34a2bbebe3c89081ba8a6715b8e1ded3d9de67ec235524219f29b845e4a1b34a6624dd4f83536aaf32d33ac7b2b88b476af0790327625dec0cd
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
8KB
MD549d64178bfedcc3a094cccbf3df8d104
SHA19a624cfe0323361aba133b4ab1942d3e0afec287
SHA256e4df6210481358f8e0bb7ec08fe8b0d07c0f1d64bd50fec97b3b8b67cf974667
SHA512dbd498ac9e80be7b3b68ce50775b85948c48fca8ed37189db313dcd8e5b7c3fb6a5497d1f8b8cea3f560c720fcb220792ee2f0eb937a512d312e8347f6d3e0d6
-
Filesize
14.7MB
MD5e039e221b48fc7c02517d127e158b89f
SHA179eed88061472ae590616556f31576ca13bfc7fb
SHA256dc30e5dab15392627d30a506f6304030c581fc00716703fc31add10ff263d70b
SHA51287231c025bb94771e89a639c9cb1528763f096059f8806227b8ab45a8f1ea5cd3d94fdc91cb20dd140b91a14904653517f7b6673a142a864a58a2726d14ae4b8
-
Filesize
1.7MB
MD54ab645302c818acbb6ecfa1b677b2c0b
SHA13a2c2cecd29da6745b1757151e1aae92253c674c
SHA2564800add84a0ace4482dbe4ac41e69dc49f87ddaba3d7571235f9d0784c01b7ae
SHA512b8c6a82471cd7bd785278a41f0e48b8d716f70ef653ab3dd84a2ea71a5d6e997540143a80d479e72ae07a6a29bd4566930a9c0a5bb2e53cfb4d7ac4bcfc9616b
-
Filesize
30KB
MD5b1c405ed0434695d6fc893c0ae94770c
SHA179ecacd11a5f2b7e2d3f0461eef97b7b91181c46
SHA2564c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246
SHA512635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7
-
Filesize
9KB
MD54fee2548578cd9f1719f84d2cb456dbf
SHA13070ed53d0e9c965bf1ffea82c259567a51f5d5f
SHA256baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24
SHA5126bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49
-
Filesize
240KB
MD5bd8643e5db648810348aa0755e455b70
SHA1119cb1fb3057d9759d0abb3dfdafc460456c1cc4
SHA256bec6a116ea2224dd1532c6eaf20e4d61199240e55ccd0270199fbd22f2806477
SHA512b8033d8989c66431e1771ffc6d2549a4d1e32b8612b7331e7a2931ddad3e31c8a7e1af8ef129883034b1fcf466b8ad0e1cab431cbf5c20c724f4eef53468f714
-
Filesize
126KB
MD58af72dc9783c52125e229f8b79afba94
SHA171178bc7cfced6bc5dcb45ed666cdbe2c55182dd
SHA25668ae722154cebfb3a3ca59b135e182a68fa0d6966a089008028f97022849bbc5
SHA512dcada700522b78fe0006e84c6599a9857269512eb65a68c0475635f76d5805c43decad74232eb39dae83f987b3dabafe07129d44cce950c8dc9efd11901599e2
-
Filesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
Filesize
9KB
MD5b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA115ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA25689a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA5126467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8
-
Filesize
7KB
MD511092c1d3fbb449a60695c44f9f3d183
SHA1b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA2562cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
