Analysis Overview
SHA256
e3a7b4653b6d2f1270192a01da0b71f7682c6689636a8aab28b82e7365de142f
Threat Level: Likely malicious
The file lets.1xx was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
UPX packed file
VMProtect packed file
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 05:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 05:21
Reported
2024-05-21 05:23
Platform
win10-20240404-en
Max time kernel
36s
Max time network
40s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\SETD3BB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SETD3BB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.Primitives.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Syndication.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\runtimes | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\LetsPRO.exe.config | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Security.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.ReaderWriter.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\pt-BR\System.Web.Services.Description.resources.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files\let'svp-n\Uninstall\uni929B.tmp | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensionsAsync.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensionsAsync.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.NameResolution.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.WebHeaderCollection.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\ToastNotifications.Messages.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\ja\System.Web.Services.Description.resources.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\pl\System.Web.Services.Description.resources.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Linq.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Duplex.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ValueTuple.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\it | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\runtimes\win-arm | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.CodeDom.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.NetTcp.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.CodeDom.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ValueTuple.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\zh-Hans\System.Web.Services.Description.resources.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\Microsoft.Expression.Interactions.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.Annotations.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Resources.ResourceManager.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Threading.Timer.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Web.Services.Description.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensions.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\SharpCompress.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Collections.Specialized.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.EventBasedAsync.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.ReaderWriter.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\es\System.Web.Services.Description.resources.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensions.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\x86\WebView2Loader.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NetSarangX\upload.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\SQLitePCLRaw.nativelibrary.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Diagnostics.Tracing.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Drawing.Common.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.Primitives.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Duplex.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.XmlSerializer.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\x86\WebView2Loader.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Globalization.Extensions.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.IO.MemoryMappedFiles.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Linq.Expressions.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.IPNetwork.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.X509Certificates.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Text.RegularExpressions.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\LetsPRO.exe | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\packages\RELEASES | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\Microsoft.Win32.Registry.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Runtime.CompilerServices.VisualC.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.Algorithms.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\zh-MO | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Management.Automation.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\fr | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\LetsVPNDomainModel.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\PusherClient.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File created | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Console.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.Xml.dll | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem3.PNF | C:\Windows\system32\DrvInst.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | \??\c:\windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | \??\c:\windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAuditPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeShutdownPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files\let'svp-n\lets\tmp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NetSarangX\upload.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\letsvpn\driver\tapinstall.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\lets.exe
"C:\Users\Admin\AppData\Local\Temp\lets.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5563250 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\lets.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-160447019-1232603106-4168707212-1000"
C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin
C:\Program Files\let'svp-n\lets\tmp.exe
"C:\Program Files\let'svp-n\lets\tmp.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe"
\??\c:\windows\sysWoW64\msiexec.exe
"c:\windows\sysWoW64\msiexec.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{41560030-acf4-4142-8d06-504723712836}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\letsvpn\driver"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000174"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=lets
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=lets
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=lets.exe
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=lets.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=LetsPRO.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=LetsPRO
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | d33dd57c830b9b52ec844d713ea1a1da |
| SHA1 | 51fc3d3316bb308e164a981d364181ae6cadbd1b |
| SHA256 | b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3 |
| SHA512 | 9b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 52a0b3c36a01a89187342803bc11709d |
| SHA1 | 8f17c48ecfb5f798cfe565b8f370a86cf8efb091 |
| SHA256 | af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0 |
| SHA512 | 830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | 3220a6aefb4fc719cc8849f060859169 |
| SHA1 | 85f624debcefd45fdfdf559ac2510a7d1501b412 |
| SHA256 | 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765 |
| SHA512 | 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d |
C:\Program Files (x86)\NetSarangX\upload.exe
| MD5 | 9050ac019b4c8dddbc5e250bb87cf9f2 |
| SHA1 | 241f50bf6100bd84a14bd927a28bba5bc7df30f3 |
| SHA256 | 83d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9 |
| SHA512 | 2d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3 |
memory/4468-56-0x0000000000400000-0x000000000053F000-memory.dmp
C:\Program Files (x86)\NetSarangX\upload.dat
| MD5 | ed5ce3c2d78ace16956117ab67d77c2c |
| SHA1 | d9ba439f9e723c04bd12a33c6455d0eff70fc2ba |
| SHA256 | fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22 |
| SHA512 | b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2 |
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG
| MD5 | e39405e85e09f64ccde0f59392317dd3 |
| SHA1 | 9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b |
| SHA256 | cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f |
| SHA512 | 6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a |
C:\Program Files\let'svp-n\lets\tmp.exe
| MD5 | e680b7e43f6fb7dab7fcd9a07f0b9367 |
| SHA1 | e29c59617f8aafcde20e06542510c087ef1892a9 |
| SHA256 | 185b11b4952aa5a8bd4ab83b8feade5224ad5823f002ff2381f74e184b9f0a25 |
| SHA512 | e7a10a5e14eb06da5634f847956edbd8a377e678648f5fe5deddfa30f4f69533d0f256ae046705ac7eefa48fe48c4c77bba2459831a59edc1c2b198da089abed |
memory/4468-79-0x00000000023F0000-0x00000000023F2000-memory.dmp
C:\ProgramData\templateWatch.dat
| MD5 | 81185e90f128ed274893d2fb749c7f6e |
| SHA1 | f21ae1050bb4da1e63ce448eb4632123327ee1f1 |
| SHA256 | c5cf7f3e08f1bf838ca2d0d041a75a51b17a03759183d3d6d97e2d3f2a31adaf |
| SHA512 | 11ed065dbb034f610349d45d27115c3bdd55ab21f9f0194316d1b016ff4d8568a481b5ae711139b47a92f37ef33cf5883a513a4aaf5726d4224164ca3fac2a18 |
memory/4468-80-0x0000000010000000-0x0000000010004000-memory.dmp
memory/4468-84-0x0000000002CE0000-0x00000000032C8000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst9C60.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
memory/4468-95-0x0000000003410000-0x0000000003E59000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst9C60.tmp\nsExec.dll
| MD5 | 3d366250fcf8b755fce575c75f8c79e4 |
| SHA1 | 2ebac7df78154738d41aac8e27d7a0e482845c57 |
| SHA256 | 8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6 |
| SHA512 | 67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094 |
memory/4188-103-0x00000000072C0000-0x00000000072F6000-memory.dmp
memory/4188-104-0x0000000007A80000-0x00000000080A8000-memory.dmp
memory/4468-105-0x0000000002480000-0x0000000002481000-memory.dmp
memory/4468-106-0x0000000003410000-0x0000000003E59000-memory.dmp
memory/4188-109-0x0000000007990000-0x00000000079B2000-memory.dmp
memory/4188-110-0x0000000008290000-0x00000000082F6000-memory.dmp
memory/4188-111-0x00000000080B0000-0x0000000008116000-memory.dmp
memory/4188-112-0x0000000008300000-0x0000000008650000-memory.dmp
memory/4188-113-0x0000000008170000-0x000000000818C000-memory.dmp
memory/4188-119-0x00000000089C0000-0x0000000008A0B000-memory.dmp
memory/4188-120-0x0000000008A70000-0x0000000008AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrcyzdel.f3s.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
\Users\Admin\AppData\Local\Temp\nst9C60.tmp\nsDialogs.dll
| MD5 | ca95c9da8cef7062813b989ab9486201 |
| SHA1 | c555af25df3de51aa18d487d47408d5245dba2d1 |
| SHA256 | feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be |
| SHA512 | a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9 |
C:\Windows\Temp\_ir_tu2_temp_0\IRIMG3.JPG
| MD5 | 29b994bbbfa6110402d25849acd61baa |
| SHA1 | e3dae0632750d70cb38a1a7a741fc1a91f28580d |
| SHA256 | 165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe |
| SHA512 | 98cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889 |
memory/2512-158-0x0000000000400000-0x000000000053F000-memory.dmp
C:\Windows\Temp\_ir_tu2_temp_0\_TUProjDT.dat
| MD5 | 67bf1f80834081fc794c6ed1f7c2fed5 |
| SHA1 | 4d73fbec18037110be3248e97a555b7f9e458777 |
| SHA256 | 54fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2 |
| SHA512 | fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae |
memory/2512-165-0x0000000010000000-0x0000000010004000-memory.dmp
memory/2512-169-0x0000000001F80000-0x00000000029C9000-memory.dmp
memory/2512-175-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/2512-176-0x0000000001F80000-0x00000000029C9000-memory.dmp
memory/4132-179-0x0000000002800000-0x0000000002DE8000-memory.dmp
memory/4132-182-0x0000000010000000-0x0000000010A49000-memory.dmp
memory/4132-188-0x00000000030B0000-0x00000000030B1000-memory.dmp
memory/4132-189-0x0000000010000000-0x0000000010A49000-memory.dmp
C:\Program Files (x86)\letsvpn\LetsPRO.exe
| MD5 | a1a68d4eb068d5b2ce6aa93679c81f2b |
| SHA1 | 1e15a5057e5754661a6a10bb55a6dd09ee939418 |
| SHA256 | a2e047058f5a9225339513ff26ecdfdb5af04d325211d58b47f0d31624ab2438 |
| SHA512 | f3375e33ce7bcb703e2d43e07d24720de6331c5f61bea9b56de8c3c0e2f02d72cc16a34a93a0553f502ce5af3976ee79082ea642414500b7dedfc664a886289f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0f5cbdca905beb13bebdcf43fb0716bd |
| SHA1 | 9e136131389fde83297267faf6c651d420671b3f |
| SHA256 | a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060 |
| SHA512 | a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0 |
memory/2136-633-0x0000000007EA0000-0x00000000081F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b10399c009aa5ee9c60d2eb24023445d |
| SHA1 | 2260b80647e7f64ef5fc098c1610548146e8badd |
| SHA256 | 567376eb173601ceaa5c6ce1dabd2a88fe88c048e4a8f6343460aa21e24103d7 |
| SHA512 | 68c11e42f4311e7a06e73e27a46ae0180c11386dbc856820e112070b7ecfe2ccc51033e1107b20c1102ae48c442f281ddc5b680c2b0de076199d895a08cf8cba |
memory/2136-635-0x0000000008420000-0x000000000846B000-memory.dmp
C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1
| MD5 | b34636a4e04de02d079ba7325e7565f0 |
| SHA1 | f32c1211eac22409bb195415cb5a8063431f75cd |
| SHA256 | a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df |
| SHA512 | 6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f |
memory/4468-645-0x0000000000400000-0x000000000053F000-memory.dmp
memory/2136-654-0x00000000097A0000-0x00000000097D3000-memory.dmp
memory/2136-655-0x0000000071370000-0x00000000713BB000-memory.dmp
memory/2136-656-0x00000000097E0000-0x00000000097FE000-memory.dmp
memory/2136-661-0x00000000099A0000-0x0000000009A45000-memory.dmp
memory/2136-662-0x0000000009AF0000-0x0000000009B84000-memory.dmp
memory/2136-855-0x0000000009A70000-0x0000000009A8A000-memory.dmp
memory/2136-860-0x0000000009A50000-0x0000000009A58000-memory.dmp
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
| MD5 | 1e3cf83b17891aee98c3e30012f0b034 |
| SHA1 | 824f299e8efd95beca7dd531a1067bfd5f03b646 |
| SHA256 | 9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f |
| SHA512 | fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b |
C:\Program Files (x86)\letsvpn\driver\OemVista.inf
| MD5 | 26009f092ba352c1a64322268b47e0e3 |
| SHA1 | e1b2220cd8dcaef6f7411a527705bd90a5922099 |
| SHA256 | 150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9 |
| SHA512 | c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363 |
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat
| MD5 | f73ac62e8df97faf3fc8d83e7f71bf3f |
| SHA1 | 619a6e8f7a9803a4c71f73060649903606beaf4e |
| SHA256 | cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b |
| SHA512 | f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe |
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys
| MD5 | c10ccdec5d7af458e726a51bb3cdc732 |
| SHA1 | 0553aab8c2106abb4120353360d747b0a2b4c94f |
| SHA256 | 589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253 |
| SHA512 | 7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981 |
C:\Windows\INF\oem3.PNF
| MD5 | 81563688bd15b095f45c1c4ce7041066 |
| SHA1 | cb1122e20cda7e48b650e6d33c985b8b36aae076 |
| SHA256 | 3520fec40273e0e2a2fd1d7f080172b680a060b4c374665c2165cd2de04edf7f |
| SHA512 | df13e63e25c589bfdf53b9d16325f18ee5f39250fac9f53926ef221dcc2bd7790a4fb834b731bb29be6aa103616bedd0ccd5dfcf6df977c30c2b9a6970a7244e |
memory/2512-999-0x0000000000400000-0x000000000053F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst9C60.tmp\modern-wizard.bmp
| MD5 | 7f8e1969b0874c8fb9ab44fc36575380 |
| SHA1 | 3057c9ce90a23d29f7d0854472f9f44e87b0f09a |
| SHA256 | 076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd |
| SHA512 | 7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555 |