Windows Analysis Report
TlsPatcher-1.1.1.exe

Overview

General Information

Sample name:	TlsPatcher-1.1.1.exe
Analysis ID:	1545112
MD5:	fdeac4be6f9e9154d54956760c3f0f58
SHA1:	b706a826fbfdf577e5806927d43fb7d9138093e6
SHA256:	7a16eee0bac29b88ad46a147dcad633860e81541538d91cc0e397b5d6b5986fe
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: TlsPatcher-1.1.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{114CA666-974E-4CC7-BE0E-45C1F713825B}

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

File created: C:\Users\user\AppData\Local\Temp\TLS_Patcher_v1.1.1_20241030011659_000_LevelUp.Integrations.TlsPatcher.Installer_1.1.1_x64.msi.log

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe

File created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\license.rtf

Source: TlsPatcher-1.1.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\66c66c.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7C4.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{114CA666-974E-4CC7-BE0E-45C1F713825B}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC852.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\66c66f.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\66c66f.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC7C4.tmp

Uses 32bit PE files

Source: TlsPatcher-1.1.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: clean7.winEXE@10/21@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

File created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\

Source: TlsPatcher-1.1.1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

File read: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

Source: unknown	Process created: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe "C:\Users\user\Desktop\TlsPatcher-1.1.1.exe"
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe "C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe" -burn.clean.room="C:\Users\user\Desktop\TlsPatcher-1.1.1.exe" -burn.filehandle.attached=524 -burn.filehandle.self=520
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe "C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe" -burn.clean.room="C:\Users\user\Desktop\TlsPatcher-1.1.1.exe" -burn.filehandle.attached=524 -burn.filehandle.self=520
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe" -q -burn.elevated BurnPipe.{567FAD9A-84D5-4F0A-B05E-A60CC1098593} {A2E813C1-ACFD-4546-839C-313841CBE496} 6316
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe" -q -burn.elevated BurnPipe.{567FAD9A-84D5-4F0A-B05E-A60CC1098593} {A2E813C1-ACFD-4546-839C-313841CBE496} 6316
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BCEF48201EFB427ED67C871BCA995DA8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BCEF48201EFB427ED67C871BCA995DA8

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: msxml3.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: feclient.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: srclient.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: spp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: vssapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: usoapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: sxproxy.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: srpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: tsappcmp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{114CA666-974E-4CC7-BE0E-45C1F713825B}

Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TlsPatcher-1.1.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: TlsPatcher-1.1.1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: TlsPatcher-1.1.1.exe

Static PE information: section name: .wixburn

Drops PE files

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	File created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	File created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7C4.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIC7C4.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

File created: C:\Users\user\AppData\Local\Temp\TLS_Patcher_v1.1.1_20241030011659_000_LevelUp.Integrations.TlsPatcher.Installer_1.1.1_x64.msi.log

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe

File created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\license.rtf

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\wixstdba.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC7C4.tmp			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 5080

Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File Volume queried: C:\Windows FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe "C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe" -burn.clean.room="C:\Users\user\Desktop\TlsPatcher-1.1.1.exe" -burn.filehandle.attached=524 -burn.filehandle.self=520
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe" -q -burn.elevated BurnPipe.{567FAD9A-84D5-4F0A-B05E-A60CC1098593} {A2E813C1-ACFD-4546-839C-313841CBE496} 6316

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Network Map

⊘No contacted IP infos

Uses 32bit PE files

Source: TlsPatcher-1.1.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{114CA666-974E-4CC7-BE0E-45C1F713825B}

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

File created: C:\Users\user\AppData\Local\Temp\TLS_Patcher_v1.1.1_20241030011659_000_LevelUp.Integrations.TlsPatcher.Installer_1.1.1_x64.msi.log

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe

File created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\license.rtf

Source: TlsPatcher-1.1.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\66c66c.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7C4.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{114CA666-974E-4CC7-BE0E-45C1F713825B}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC852.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\66c66f.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\66c66f.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC7C4.tmp

Uses 32bit PE files

Source: TlsPatcher-1.1.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: clean7.winEXE@10/21@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

File created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\

Source: TlsPatcher-1.1.1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

File read: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

Source: unknown	Process created: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe "C:\Users\user\Desktop\TlsPatcher-1.1.1.exe"
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe "C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe" -burn.clean.room="C:\Users\user\Desktop\TlsPatcher-1.1.1.exe" -burn.filehandle.attached=524 -burn.filehandle.self=520
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe "C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe" -burn.clean.room="C:\Users\user\Desktop\TlsPatcher-1.1.1.exe" -burn.filehandle.attached=524 -burn.filehandle.self=520
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe" -q -burn.elevated BurnPipe.{567FAD9A-84D5-4F0A-B05E-A60CC1098593} {A2E813C1-ACFD-4546-839C-313841CBE496} 6316
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe" -q -burn.elevated BurnPipe.{567FAD9A-84D5-4F0A-B05E-A60CC1098593} {A2E813C1-ACFD-4546-839C-313841CBE496} 6316
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BCEF48201EFB427ED67C871BCA995DA8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BCEF48201EFB427ED67C871BCA995DA8

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: msxml3.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: feclient.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: srclient.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: spp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: vssapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: usoapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: sxproxy.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: srpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: tsappcmp.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{114CA666-974E-4CC7-BE0E-45C1F713825B}

Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TlsPatcher-1.1.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TlsPatcher-1.1.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: TlsPatcher-1.1.1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TlsPatcher-1.1.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: TlsPatcher-1.1.1.exe

Static PE information: section name: .wixburn

Drops PE files

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	File created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	File created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7C4.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIC7C4.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

File created: C:\Users\user\AppData\Local\Temp\TLS_Patcher_v1.1.1_20241030011659_000_LevelUp.Integrations.TlsPatcher.Installer_1.1.1_x64.msi.log

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe

File created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\license.rtf

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {fe0fc20b-fc4f-4233-98e4-e30940c5703c}

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\wixstdba.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC7C4.tmp			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 5080

Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File Volume queried: C:\Windows FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe "C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe" -burn.clean.room="C:\Users\user\Desktop\TlsPatcher-1.1.1.exe" -burn.filehandle.attached=524 -burn.filehandle.self=520
Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Process created: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe" -q -burn.elevated BurnPipe.{567FAD9A-84D5-4F0A-B05E-A60CC1098593} {A2E813C1-ACFD-4546-839C-313841CBE496} 6316

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.be\LevelUp.Integrations.TlsPatcher.Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

ID:	1545112
Product:	CloudBasic
Start time:	06:16:31
Start date:	30.10.2024
Sample:	TlsPatcher-1.1.1.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fdeac4be6f9e9154d54956760c3f0f58
SHA1:	b706a826fbfdf577e5806927d43fb7d9138093e6
SHA256:	7a16eee0bac29b88ad46a147dcad633860e81541538d91cc0e397b5d6b5986fe
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\66c66e.rbs	data	9E277098E8EAFF1B89F2E4B674181722	DD2F34537A3BD5CA40D5F5C245297CEC7BA7CB57	8F485DD3372AACFB6F3256610FA7EE2E5CC63BFFF8ED7BEB62CD08E8DD03081A
C:\ProgramData\Package Cache\{fe0fc20b-fc4f-4233-98e4-e30940c5703c}\state.rsm	data	A28AA3B3F976E68E91F4532C37BE8240	EF2FAA2EDC33320FC3B33B2D83252DE57F08630F	23626E7704DF61CC225E62934D3382A85C4A43390DDCC1FD597ED9BAAB827C47
C:\Users\user\AppData\Local\Temp\TLS_Patcher_v1.1.1_20241030011659.log	ASCII text, with very long lines (369), with CRLF line terminators	2D12E7FA5485638E0174ABFE815D3017	612B91CC7E2DBB062A77BF265B1DCF350DFAF806	1B574C5D5F918E7628FFC75E92FCBB037CCA2456F790785236CC8425DC971B79
C:\Users\user\AppData\Local\Temp\TLS_Patcher_v1.1.1_20241030011659_000_LevelUp.Integrations.TlsPatcher.Installer_1.1.1_x64.msi.log	data	57C9DB69A9354FB3902CD9B032F68F1E	A80DE1742C3E91CAB25D6FB4E5C5D7EB47B23D3A	624B05969558DB7CBAC85133497E014A636EF06F1D180DB8B6CF16A602F24370
C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\BootstrapperApplicationData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (639), with CRLF line terminators	7D43513A24A9F06D7E5A729AED76AA8C	FD552BA21023477AB6FA29766886FE21A3AFFE98	D8F73EFACAE0976AD9B3224929E9A71FA84452F31051541454024DEE6B25B268
C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\license.rtf	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	2F77829B4E38131943432F00100954E7	8C9F134F95ED99C566955CDEAB97EFECCA17751B	7B13D9BD4479FFBD871EA5CD34E7DA82B23F302566D3364B62B7C4CE3592C0FE
C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\logo.png	PC bitmap, Windows 3.x format, 64 x 64 x 24, image size 12290, resolution 2834 x 2834 px/m, cbSize 12344, bits offset 54	2DB77FD097089DF6DF35C6EED482622C	1A4F568BDF4A25547D9965E1D4D8C046EAFAF601	1CACA6C6363D1EF664602163BDED7CC2C9FF5DD3F75824B49C565AF7DE716B48
C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\thm.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	5D492AF2E8C9B2AB58CA1A10248C726F	4784F32B8A0D16D3E05B10BACEF1F840D8FACA51	ACCF0D8BFCEF21F5F80730D90705446FC0253174A484FD73B6523A092224322D
C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\thm.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F62729C6D2540015E072514226C121C7	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
C:\Users\user\AppData\Local\Temp\{65096706-3665-413A-A3D6-FEF50A7ACF69}\.ba\wixstdba.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6BA2E331E0F447AAFF0E8142DF5F7230	7A3F7FB93E7BDCF04FA83B50BDE1D939B1864023	58A135101A2044D96F470E29369A8214C5C2ADD774488D73C6AE81A588582239
C:\Users\user\AppData\Local\Temp\{7237ACD7-6703-4D28-844D-D93F0C6C709E}\.cr\TlsPatcher-1.1.1.exe	PE32 executable (GUI) Intel 80386, for MS Windows	52A35A13FBEE36EA9BDD03038941A70C	682F46047D6DFF83181449316FA91DF0E1600305	1915B0393F91AF34EF23A7E3AC1C41A62294978B1E396D7C72D50D1DFD6F4791
C:\Windows\Installer\66c66c.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: LevelUp TLS Patcher v1.1.1, Author: LevelUp, Keywords: Installer, Comments: This installer database contains the logic and data required to install LevelUp TLS Patcher v1.1.1., Template: x64;1033, Revision Number: {64FB791B-0D06-4040-84F4-E3B4AFF5A845}, Create Time/Date: Wed May 13 21:18:44 2020, Last Saved Time/Date: Wed May 13 21:18:44 2020, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	A6C9ABEF89C6B65B9C059C45B716296F	C27B20620A72836594DB24A0952BE3B09AC29DDA	4FD2C775176EB0C600AF76F595A0D8FB164B16F725FF1444EF6C6F7A8B285C0A
C:\Windows\Installer\MSIC7C4.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BA84DD4E0C1408828CCC1DE09F585EDA	E8E10065D479F8F591B9885EA8487BC673301298	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
C:\Windows\Installer\MSIC852.tmp	data	62D58207B06823FF5BBD7CC8A2AB2F67	755B51D5C520572E5B7E690166BAA6E7E6A6A844	006A42B9967BFA54A04B37C4C8E2711A2F3A57FA37A51674374BBDACF606DE00
C:\Windows\Installer\SourceHash{114CA666-974E-4CC7-BE0E-45C1F713825B}	Composite Document File V2 Document, Cannot read section info	EFCC45B1CDDD7750D78B281E75E9A199	86F0B1834172F18AA5850A2F634954EBCD599D80	195F0A661AA7A999E80AE1482FDB44DB6142DDB750C682009F4D064FA0D1958C
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	27BC76A3182547031D4A1D67089ABBF5	74C7660CD596B9476D956F68D8EBDD5019B8D57D	B1DEEB57C55B04179F981498FC7F6246242BABAE71849F04D3F13D36C5E6F2A7
C:\Windows\Temp\~DF050ED0814432636B.TMP	Composite Document File V2 Document, Cannot read section info	B7CF08BB18393086BA64D9F818F07560	D08BCA4978955B544FAB2C526C56B21A5E6D6004	B3CBA1FBBA739B9CB5794F4431C30936DB22721FDBB3D36B0E455980DCDAEE63
C:\Windows\Temp\~DF0DE71B30CB93E5C5.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFB3B1F03575E1DC17.TMP	data	309FB03B40604C30FA2BF5B1585F8005	E0C567DD5785CC651C5988577420DD9FAB127421	B15F98BE25528A6B6F4F9259670EC619D36F3A4ACE57FBC3B57A0849A33A1045
C:\Windows\Temp\~DFB8C932A903BBF963.TMP	data	12347EB36517D0C2EBCFF63D642B44E0	099242494205C7103E9C26A4394E5850736AB0BC	0F8AF40DDE8BE6E4FE1567018E9040DD122089F428CE12B291D853FF265346D0
C:\Windows\Temp\~DFBB69BE51854C45C4.TMP	Composite Document File V2 Document, Cannot read section info	66C96FD45C521EE25BFF8BF53C938E07	9916E8D0C2D9EFB420BB6FB5C8FFC5EF41299DAA	E8EF353617127B305AFEB07F32400B4F985325F2134968C6535063A911323A7C

Windows Analysis Report
TlsPatcher-1.1.1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report TlsPatcher-1.1.1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report
TlsPatcher-1.1.1.exe