Overview

overview

10

Static

static

4f5a8b7ca3...7a.msi

windows7-x64

10

4f5a8b7ca3...7a.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2022 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a.msi

  • Size

    13.7MB

  • MD5

    afb73daab97a1a8fb156ed34715a01ca

  • SHA1

    ecb0ea164d1d1ceea4a0fb0d06f61345f4a65ac3

  • SHA256

    4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a

  • SHA512

    35dec58a6525f91f6edb2cd9ef3e53f76cbee700ac7e489cda85a443835d210cbef4d369eb3084cb4ad8f5a06a281ea35908249ff6a4f566623c99d7c94487e9

  • SSDEEP

    393216:w3Bp4yJDyaxkvEIeg/sczcezXEbpFS+zYeOPuet:WBy0Gax2fbDlzEbpFfzYeO

Score
10/10
gh0stratpurplefoxdiscoveryevasionratrootkittrojanvmprotect

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
    evasion
  • VMProtect packed file 14 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:636
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3784
    • C:\Windows\Installer\MSIF5B0.tmp
      "C:\Windows\Installer\MSIF5B0.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Users\Admin\AppData\Local\Temp\kk.exe
        C:\Users\Admin\AppData\Local\Temp\kk.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Users\Public\Videos\lsp.exe
          C:\Users\Public\Videos\lsp.exe
          4⤵
          • Executes dropped EXE
          PID:1884
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 252
            5⤵
            • Program crash
            PID:2344
        • C:\Windows\SysWOW64\SCHTASKS.exe
          SCHTASKS /Create /SC ONLOGON /TN active /F /RL HIGHEST /TR C:\Users\Public\Pictures\15824\ttvip.exe
          4⤵
          • Creates scheduled task(s)
          PID:5092
      • C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
        C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4152
        • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
          "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:4168
        • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
          "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh advfirewall firewall Delete rule name=lets
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3084
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall Delete rule name=lets
            5⤵
            • Modifies Windows Firewall
            PID:3008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh advfirewall firewall Delete rule name=lets.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall Delete rule name=lets.exe
            5⤵
            • Modifies Windows Firewall
            PID:240
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5112
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall Delete rule name=LetsPRO.exe
            5⤵
            • Modifies Windows Firewall
            PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:448
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall Delete rule name=LetsPRO
            5⤵
            • Modifies Windows Firewall
            PID:2232
        • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
          "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:3556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:844
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2e76d02f-2719-d54f-b957-3cce2235a8eb}\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000154" "208" "c:\program files (x86)\letsvpn\driver"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{d6926b38-e8bd-4f4e-bf14-39bb4b80f65a} Global\{503854c5-a3f5-be4e-963c-53aeba5f4f24} C:\Windows\System32\DriverStore\Temp\{676f2d88-19de-6944-9f1f-268718216395}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{676f2d88-19de-6944-9f1f-268718216395}\tap0901.cat
        3⤵
        • Modifies system certificate store
        PID:5000
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000015C"
      2⤵
      • Drops file in Drivers directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1884 -ip 1884
    1⤵
      PID:3980

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    1
    T1031

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1
      Filesize

      318B

      MD5

      b34636a4e04de02d079ba7325e7565f0

      SHA1

      f32c1211eac22409bb195415cb5a8063431f75cd

      SHA256

      a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df

      SHA512

      6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f

      Download Submit
    • C:\Program Files (x86)\letsvpn\driver\OemVista.inf
      Filesize

      7KB

      MD5

      87868193626dc756d10885f46d76f42e

      SHA1

      94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

      SHA256

      b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

      SHA512

      79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

      Download Submit
    • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      Filesize

      90KB

      MD5

      d10f74d86cd350732657f542df533f82

      SHA1

      c54074f8f162a780819175e7169c43f6706ad46c

      SHA256

      c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

      SHA512

      0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

      Download Submit
    • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      Filesize

      90KB

      MD5

      d10f74d86cd350732657f542df533f82

      SHA1

      c54074f8f162a780819175e7169c43f6706ad46c

      SHA256

      c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

      SHA512

      0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

      Download Submit
    • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      Filesize

      90KB

      MD5

      d10f74d86cd350732657f542df533f82

      SHA1

      c54074f8f162a780819175e7169c43f6706ad46c

      SHA256

      c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

      SHA512

      0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

      Download Submit
    • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      Filesize

      90KB

      MD5

      d10f74d86cd350732657f542df533f82

      SHA1

      c54074f8f162a780819175e7169c43f6706ad46c

      SHA256

      c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

      SHA512

      0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kk.exe
      Filesize

      75KB

      MD5

      6050e96866489fe27ed9babad1857036

      SHA1

      64f2bbb3e24a665b119fed0aea149eda7723ca24

      SHA256

      7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

      SHA512

      ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kk.exe
      Filesize

      75KB

      MD5

      6050e96866489fe27ed9babad1857036

      SHA1

      64f2bbb3e24a665b119fed0aea149eda7723ca24

      SHA256

      7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

      SHA512

      ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
      Filesize

      12.3MB

      MD5

      8834ec8d35669dd623ba5c6986ff2748

      SHA1

      1a475633f1ea1ab47edb1c030ce2ea933c0a934c

      SHA256

      addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

      SHA512

      00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
      Filesize

      12.3MB

      MD5

      8834ec8d35669dd623ba5c6986ff2748

      SHA1

      1a475633f1ea1ab47edb1c030ce2ea933c0a934c

      SHA256

      addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

      SHA512

      00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\System.dll
      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      ca95c9da8cef7062813b989ab9486201

      SHA1

      c555af25df3de51aa18d487d47408d5245dba2d1

      SHA256

      feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

      SHA512

      a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsProcess.dll
      Filesize

      4KB

      MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

      SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

      SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

      SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsxD7E.tmp\nsProcess.dll
      Filesize

      4KB

      MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

      SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

      SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

      SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{2E76D~1\tap0901.cat
      Filesize

      19KB

      MD5

      c757503bc0c5a6679e07fe15b93324d6

      SHA1

      6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

      SHA256

      91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

      SHA512

      efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{2E76D~1\tap0901.sys
      Filesize

      26KB

      MD5

      d765f43cbea72d14c04af3d2b9c8e54b

      SHA1

      daebe266073616e5fc931c319470fcf42a06867a

      SHA256

      89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

      SHA512

      ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{2e76d02f-2719-d54f-b957-3cce2235a8eb}\oemvista.inf
      Filesize

      7KB

      MD5

      87868193626dc756d10885f46d76f42e

      SHA1

      94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

      SHA256

      b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

      SHA512

      79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

      Download Submit
    • C:\Users\Public\Videos\lsp.exe
      Filesize

      1.0MB

      MD5

      95f15e5ca91150a6caf86ada3023cc58

      SHA1

      6254bb5d18d7ccff4c698ec771c9bed56653d117

      SHA256

      2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

      SHA512

      bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

      Download Submit
    • C:\Users\Public\Videos\lsp.exe
      Filesize

      1.0MB

      MD5

      95f15e5ca91150a6caf86ada3023cc58

      SHA1

      6254bb5d18d7ccff4c698ec771c9bed56653d117

      SHA256

      2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

      SHA512

      bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

      Download Submit
    • C:\Windows\INF\oem2.inf
      Filesize

      7KB

      MD5

      87868193626dc756d10885f46d76f42e

      SHA1

      94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

      SHA256

      b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

      SHA512

      79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

      Download Submit
    • C:\Windows\Installer\MSIF5B0.tmp
      Filesize

      13.5MB

      MD5

      527111c6ff1bed78302d2a59a772bebe

      SHA1

      94dcdb1aa606356a613584e016d201fe9246e0f3

      SHA256

      97935af097104cb5cbafefb482f1e748613eeb6dadf80bc95c88fcc2aac6580c

      SHA512

      12c30789892746c02478ac9f920f3b6eeb37de2d36b432ba3aa4e13980eeffa869cf0be381c9a50f80dabbdfdd5d61a0a36c53dcf55ecf37b6b50690f4dae6e8

      Download Submit
    • C:\Windows\Installer\MSIF5B0.tmp
      Filesize

      13.5MB

      MD5

      527111c6ff1bed78302d2a59a772bebe

      SHA1

      94dcdb1aa606356a613584e016d201fe9246e0f3

      SHA256

      97935af097104cb5cbafefb482f1e748613eeb6dadf80bc95c88fcc2aac6580c

      SHA512

      12c30789892746c02478ac9f920f3b6eeb37de2d36b432ba3aa4e13980eeffa869cf0be381c9a50f80dabbdfdd5d61a0a36c53dcf55ecf37b6b50690f4dae6e8

      Download Submit
    • C:\Windows\System32\DriverStore\FileRepository\OEMVIS~1.INF\tap0901.sys
      Filesize

      26KB

      MD5

      d765f43cbea72d14c04af3d2b9c8e54b

      SHA1

      daebe266073616e5fc931c319470fcf42a06867a

      SHA256

      89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

      SHA512

      ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

      Download Submit
    • C:\Windows\System32\DriverStore\Temp\{676f2d88-19de-6944-9f1f-268718216395}\oemvista.inf
      Filesize

      7KB

      MD5

      87868193626dc756d10885f46d76f42e

      SHA1

      94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

      SHA256

      b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

      SHA512

      79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

      Download Submit
    • C:\Windows\System32\DriverStore\Temp\{676f2d88-19de-6944-9f1f-268718216395}\tap0901.cat
      Filesize

      19KB

      MD5

      c757503bc0c5a6679e07fe15b93324d6

      SHA1

      6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

      SHA256

      91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

      SHA512

      efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      7c28c6142d289c94069f57b619c7b33d

      SHA1

      189aba121b3c34f0f5b21775e96d3eff43132843

      SHA256

      ca70d406431a95d25af2a62a5a79eb2f7bf235d2b43c546f6a33c85615b91d06

      SHA512

      a20e34c222aaded5445d4233fc6439eefade1d183541525491a7a68aa0ee8a3cb3bb8922782adc7a14f3bacbaffebf5997869380407e09cdb2df61064190c557

      Download Submit
    • \??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{06f47427-3634-48d4-9523-24acb0877ee3}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      ac52ba82ea5d255850bfc24c4c0ae40f

      SHA1

      aa7738f2d678e590f1e3b34b0544ee1310f1b4b8

      SHA256

      f7b123db9588a60101eb610f1afa2fc4d5ca8faa874e1bb1d62599c0f7ff902d

      SHA512

      777de8f58e9b26e1235929e8faa2562515efdfd9e9700bba8df46f0888196fa0a393c61ecffa96d1719324c77137fa6c7e88044bdc451b74e317c47f3dfbca62

      Download Submit
    • \??\c:\PROGRA~2\letsvpn\driver\tap0901.sys
      Filesize

      26KB

      MD5

      d765f43cbea72d14c04af3d2b9c8e54b

      SHA1

      daebe266073616e5fc931c319470fcf42a06867a

      SHA256

      89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

      SHA512

      ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

      Download Submit
    • \??\c:\program files (x86)\letsvpn\driver\tap0901.cat
      Filesize

      19KB

      MD5

      c757503bc0c5a6679e07fe15b93324d6

      SHA1

      6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

      SHA256

      91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

      SHA512

      efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

      Download Submit
    • memory/240-196-0x0000000000000000-mapping.dmp
      Download
    • memory/448-201-0x0000000000000000-mapping.dmp
      Download
    • memory/524-137-0x0000000000400000-0x0000000001DFA000-memory.dmp
      Filesize

      26.0MB

      Download
    • memory/524-133-0x0000000000000000-mapping.dmp
      Download
    • memory/524-147-0x0000000000400000-0x0000000001DFA000-memory.dmp
      Filesize

      26.0MB

      Download
    • memory/524-136-0x0000000000400000-0x0000000001DFA000-memory.dmp
      Filesize

      26.0MB

      Download
    • memory/1036-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1036-144-0x0000000000400000-0x0000000000437000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1036-143-0x0000000000400000-0x0000000000437000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1752-195-0x0000000000000000-mapping.dmp
      Download
    • memory/1884-212-0x0000000000400000-0x00000000006A8000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/1884-211-0x0000000000400000-0x00000000006A8000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/1884-219-0x0000000000400000-0x00000000006A8000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/1884-213-0x0000000010000000-0x0000000010192000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1884-207-0x0000000000000000-mapping.dmp
      Download
    • memory/2232-202-0x0000000000000000-mapping.dmp
      Download
    • memory/2400-181-0x0000000000000000-mapping.dmp
      Download
    • memory/2432-176-0x0000000000000000-mapping.dmp
      Download
    • memory/2960-188-0x0000000000000000-mapping.dmp
      Download
    • memory/3008-193-0x0000000000000000-mapping.dmp
      Download
    • memory/3084-192-0x0000000000000000-mapping.dmp
      Download
    • memory/3524-141-0x0000000000000000-mapping.dmp
      Download
    • memory/3556-204-0x0000000000000000-mapping.dmp
      Download
    • memory/3784-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4152-168-0x00000000074B0000-0x00000000074BE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4152-158-0x0000000005920000-0x0000000005986000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4152-154-0x00000000049F0000-0x0000000004A26000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4152-170-0x00000000074F0000-0x00000000074F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4152-169-0x00000000075B0000-0x00000000075CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4152-155-0x0000000005060000-0x0000000005688000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4152-156-0x0000000004FB0000-0x0000000004FD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4152-153-0x0000000000000000-mapping.dmp
      Download
    • memory/4152-167-0x0000000007510000-0x00000000075A6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4152-166-0x00000000072E0000-0x00000000072EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4152-165-0x0000000007290000-0x00000000072AA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4152-164-0x0000000007910000-0x0000000007F8A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4152-163-0x0000000006520000-0x000000000653E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4152-162-0x000000006FE70000-0x000000006FEBC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4152-161-0x0000000006F20000-0x0000000006F52000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4152-159-0x0000000005F60000-0x0000000005F7E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4152-157-0x0000000005840000-0x00000000058A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4168-172-0x0000000000000000-mapping.dmp
      Download
    • memory/5000-185-0x0000000000000000-mapping.dmp
      Download
    • memory/5088-199-0x0000000000000000-mapping.dmp
      Download
    • memory/5092-209-0x0000000000000000-mapping.dmp
      Download
    • memory/5112-198-0x0000000000000000-mapping.dmp
      Download