Malware Analysis Report

2025-01-22 12:53

Sample ID 240521-f2e8habb7y
Target lets.1xx
SHA256 e3a7b4653b6d2f1270192a01da0b71f7682c6689636a8aab28b82e7365de142f
Tags
discovery evasion execution upx vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e3a7b4653b6d2f1270192a01da0b71f7682c6689636a8aab28b82e7365de142f

Threat Level: Likely malicious

The file lets.1xx was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution upx vmprotect

Drops file in Drivers directory

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

UPX packed file

VMProtect packed file

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 05:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 05:21

Reported

2024-05-21 05:23

Platform

win10-20240404-en

Max time kernel

36s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lets.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\SETD3BB.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\drivers\SETD3BB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\tap0901.sys C:\Windows\system32\DrvInst.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F7.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\tap0901.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F8.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F6.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\oemvista.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F7.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.Primitives.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Syndication.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\runtimes C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\LetsPRO.exe.config C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Security.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.ReaderWriter.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\pt-BR\System.Web.Services.Description.resources.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files\let'svp-n\Uninstall\uni929B.tmp C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensionsAsync.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensionsAsync.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.NameResolution.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.WebHeaderCollection.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\ToastNotifications.Messages.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\ja\System.Web.Services.Description.resources.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\pl\System.Web.Services.Description.resources.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Linq.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Duplex.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ValueTuple.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\it C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\runtimes\win-arm C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.CodeDom.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.NetTcp.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.CodeDom.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ValueTuple.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\zh-Hans\System.Web.Services.Description.resources.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\Microsoft.Expression.Interactions.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.Annotations.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Resources.ResourceManager.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Threading.Timer.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Web.Services.Description.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensions.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\SharpCompress.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Collections.Specialized.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.EventBasedAsync.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.ReaderWriter.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\es\System.Web.Services.Description.resources.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensions.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\x86\WebView2Loader.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\NetSarangX\upload.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\SQLitePCLRaw.nativelibrary.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Diagnostics.Tracing.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Drawing.Common.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.Primitives.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Duplex.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.XmlSerializer.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\x86\WebView2Loader.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Globalization.Extensions.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.IO.MemoryMappedFiles.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Linq.Expressions.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.IPNetwork.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.X509Certificates.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Text.RegularExpressions.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\LetsPRO.exe C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\packages\RELEASES C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\Microsoft.Win32.Registry.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Runtime.CompilerServices.VisualC.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.Algorithms.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\zh-MO C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Management.Automation.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\fr C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\LetsVPNDomainModel.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\PusherClient.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Console.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A
File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.Xml.dll C:\Program Files\let'svp-n\lets\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log \??\c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\system32\DrvInst.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAuditPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\letsvpn\driver\tapinstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeShutdownPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\lets.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 4424 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\lets.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 4608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Program Files (x86)\NetSarangX\upload.exe
PID 4608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Program Files (x86)\NetSarangX\upload.exe
PID 4608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Program Files (x86)\NetSarangX\upload.exe
PID 4608 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Program Files\let'svp-n\lets\tmp.exe
PID 4608 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Program Files\let'svp-n\lets\tmp.exe
PID 4608 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Program Files\let'svp-n\lets\tmp.exe
PID 4944 wrote to memory of 4188 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 4188 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 4188 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4132 N/A C:\Program Files (x86)\NetSarangX\upload.exe \??\c:\windows\sysWoW64\msiexec.exe
PID 2512 wrote to memory of 4132 N/A C:\Program Files (x86)\NetSarangX\upload.exe \??\c:\windows\sysWoW64\msiexec.exe
PID 2512 wrote to memory of 4132 N/A C:\Program Files (x86)\NetSarangX\upload.exe \??\c:\windows\sysWoW64\msiexec.exe
PID 2512 wrote to memory of 4132 N/A C:\Program Files (x86)\NetSarangX\upload.exe \??\c:\windows\sysWoW64\msiexec.exe
PID 4944 wrote to memory of 2136 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 2136 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 2136 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 2312 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
PID 4944 wrote to memory of 2312 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
PID 4944 wrote to memory of 504 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
PID 4944 wrote to memory of 504 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
PID 3156 wrote to memory of 2408 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3156 wrote to memory of 2408 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3156 wrote to memory of 4248 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3156 wrote to memory of 4248 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4944 wrote to memory of 4224 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4224 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4224 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4472 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4472 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4472 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4472 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4472 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4944 wrote to memory of 1460 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 1460 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 1460 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1460 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1460 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4944 wrote to memory of 4144 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4144 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4144 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4144 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4144 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4944 wrote to memory of 4044 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
PID 4944 wrote to memory of 4044 N/A C:\Program Files\let'svp-n\lets\tmp.exe C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Processes

C:\Users\Admin\AppData\Local\Temp\lets.exe

"C:\Users\Admin\AppData\Local\Temp\lets.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5563250 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\lets.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-160447019-1232603106-4168707212-1000"

C:\Program Files (x86)\NetSarangX\upload.exe

"C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin

C:\Program Files\let'svp-n\lets\tmp.exe

"C:\Program Files\let'svp-n\lets\tmp.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"

C:\Program Files (x86)\NetSarangX\upload.exe

"C:\Program Files (x86)\NetSarangX\upload.exe"

\??\c:\windows\sysWoW64\msiexec.exe

"c:\windows\sysWoW64\msiexec.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{41560030-acf4-4142-8d06-504723712836}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\letsvpn\driver"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000174"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall Delete rule name=lets

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall Delete rule name=lets

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall Delete rule name=lets.exe

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall Delete rule name=lets.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall Delete rule name=LetsPRO.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall Delete rule name=LetsPRO

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall Delete rule name=LetsPRO

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 d33dd57c830b9b52ec844d713ea1a1da
SHA1 51fc3d3316bb308e164a981d364181ae6cadbd1b
SHA256 b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3
SHA512 9b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 52a0b3c36a01a89187342803bc11709d
SHA1 8f17c48ecfb5f798cfe565b8f370a86cf8efb091
SHA256 af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0
SHA512 830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

C:\Program Files (x86)\NetSarangX\upload.exe

MD5 9050ac019b4c8dddbc5e250bb87cf9f2
SHA1 241f50bf6100bd84a14bd927a28bba5bc7df30f3
SHA256 83d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9
SHA512 2d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3

memory/4468-56-0x0000000000400000-0x000000000053F000-memory.dmp

C:\Program Files (x86)\NetSarangX\upload.dat

MD5 ed5ce3c2d78ace16956117ab67d77c2c
SHA1 d9ba439f9e723c04bd12a33c6455d0eff70fc2ba
SHA256 fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22
SHA512 b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

MD5 e39405e85e09f64ccde0f59392317dd3
SHA1 9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b
SHA256 cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f
SHA512 6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

C:\Program Files\let'svp-n\lets\tmp.exe

MD5 e680b7e43f6fb7dab7fcd9a07f0b9367
SHA1 e29c59617f8aafcde20e06542510c087ef1892a9
SHA256 185b11b4952aa5a8bd4ab83b8feade5224ad5823f002ff2381f74e184b9f0a25
SHA512 e7a10a5e14eb06da5634f847956edbd8a377e678648f5fe5deddfa30f4f69533d0f256ae046705ac7eefa48fe48c4c77bba2459831a59edc1c2b198da089abed

memory/4468-79-0x00000000023F0000-0x00000000023F2000-memory.dmp

C:\ProgramData\templateWatch.dat

MD5 81185e90f128ed274893d2fb749c7f6e
SHA1 f21ae1050bb4da1e63ce448eb4632123327ee1f1
SHA256 c5cf7f3e08f1bf838ca2d0d041a75a51b17a03759183d3d6d97e2d3f2a31adaf
SHA512 11ed065dbb034f610349d45d27115c3bdd55ab21f9f0194316d1b016ff4d8568a481b5ae711139b47a92f37ef33cf5883a513a4aaf5726d4224164ca3fac2a18

memory/4468-80-0x0000000010000000-0x0000000010004000-memory.dmp

memory/4468-84-0x0000000002CE0000-0x00000000032C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst9C60.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

memory/4468-95-0x0000000003410000-0x0000000003E59000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst9C60.tmp\nsExec.dll

MD5 3d366250fcf8b755fce575c75f8c79e4
SHA1 2ebac7df78154738d41aac8e27d7a0e482845c57
SHA256 8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA512 67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

memory/4188-103-0x00000000072C0000-0x00000000072F6000-memory.dmp

memory/4188-104-0x0000000007A80000-0x00000000080A8000-memory.dmp

memory/4468-105-0x0000000002480000-0x0000000002481000-memory.dmp

memory/4468-106-0x0000000003410000-0x0000000003E59000-memory.dmp

memory/4188-109-0x0000000007990000-0x00000000079B2000-memory.dmp

memory/4188-110-0x0000000008290000-0x00000000082F6000-memory.dmp

memory/4188-111-0x00000000080B0000-0x0000000008116000-memory.dmp

memory/4188-112-0x0000000008300000-0x0000000008650000-memory.dmp

memory/4188-113-0x0000000008170000-0x000000000818C000-memory.dmp

memory/4188-119-0x00000000089C0000-0x0000000008A0B000-memory.dmp

memory/4188-120-0x0000000008A70000-0x0000000008AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrcyzdel.f3s.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\Users\Admin\AppData\Local\Temp\nst9C60.tmp\nsDialogs.dll

MD5 ca95c9da8cef7062813b989ab9486201
SHA1 c555af25df3de51aa18d487d47408d5245dba2d1
SHA256 feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512 a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

C:\Windows\Temp\_ir_tu2_temp_0\IRIMG3.JPG

MD5 29b994bbbfa6110402d25849acd61baa
SHA1 e3dae0632750d70cb38a1a7a741fc1a91f28580d
SHA256 165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe
SHA512 98cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889

memory/2512-158-0x0000000000400000-0x000000000053F000-memory.dmp

C:\Windows\Temp\_ir_tu2_temp_0\_TUProjDT.dat

MD5 67bf1f80834081fc794c6ed1f7c2fed5
SHA1 4d73fbec18037110be3248e97a555b7f9e458777
SHA256 54fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2
SHA512 fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae

memory/2512-165-0x0000000010000000-0x0000000010004000-memory.dmp

memory/2512-169-0x0000000001F80000-0x00000000029C9000-memory.dmp

memory/2512-175-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/2512-176-0x0000000001F80000-0x00000000029C9000-memory.dmp

memory/4132-179-0x0000000002800000-0x0000000002DE8000-memory.dmp

memory/4132-182-0x0000000010000000-0x0000000010A49000-memory.dmp

memory/4132-188-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/4132-189-0x0000000010000000-0x0000000010A49000-memory.dmp

C:\Program Files (x86)\letsvpn\LetsPRO.exe

MD5 a1a68d4eb068d5b2ce6aa93679c81f2b
SHA1 1e15a5057e5754661a6a10bb55a6dd09ee939418
SHA256 a2e047058f5a9225339513ff26ecdfdb5af04d325211d58b47f0d31624ab2438
SHA512 f3375e33ce7bcb703e2d43e07d24720de6331c5f61bea9b56de8c3c0e2f02d72cc16a34a93a0553f502ce5af3976ee79082ea642414500b7dedfc664a886289f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 0f5cbdca905beb13bebdcf43fb0716bd
SHA1 9e136131389fde83297267faf6c651d420671b3f
SHA256 a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512 a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

memory/2136-633-0x0000000007EA0000-0x00000000081F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b10399c009aa5ee9c60d2eb24023445d
SHA1 2260b80647e7f64ef5fc098c1610548146e8badd
SHA256 567376eb173601ceaa5c6ce1dabd2a88fe88c048e4a8f6343460aa21e24103d7
SHA512 68c11e42f4311e7a06e73e27a46ae0180c11386dbc856820e112070b7ecfe2ccc51033e1107b20c1102ae48c442f281ddc5b680c2b0de076199d895a08cf8cba

memory/2136-635-0x0000000008420000-0x000000000846B000-memory.dmp

C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

MD5 b34636a4e04de02d079ba7325e7565f0
SHA1 f32c1211eac22409bb195415cb5a8063431f75cd
SHA256 a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df
SHA512 6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f

memory/4468-645-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2136-654-0x00000000097A0000-0x00000000097D3000-memory.dmp

memory/2136-655-0x0000000071370000-0x00000000713BB000-memory.dmp

memory/2136-656-0x00000000097E0000-0x00000000097FE000-memory.dmp

memory/2136-661-0x00000000099A0000-0x0000000009A45000-memory.dmp

memory/2136-662-0x0000000009AF0000-0x0000000009B84000-memory.dmp

memory/2136-855-0x0000000009A70000-0x0000000009A8A000-memory.dmp

memory/2136-860-0x0000000009A50000-0x0000000009A58000-memory.dmp

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

MD5 1e3cf83b17891aee98c3e30012f0b034
SHA1 824f299e8efd95beca7dd531a1067bfd5f03b646
SHA256 9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512 fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

C:\Program Files (x86)\letsvpn\driver\OemVista.inf

MD5 26009f092ba352c1a64322268b47e0e3
SHA1 e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256 150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512 c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

MD5 f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1 619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256 cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512 f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

MD5 c10ccdec5d7af458e726a51bb3cdc732
SHA1 0553aab8c2106abb4120353360d747b0a2b4c94f
SHA256 589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA512 7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

C:\Windows\INF\oem3.PNF

MD5 81563688bd15b095f45c1c4ce7041066
SHA1 cb1122e20cda7e48b650e6d33c985b8b36aae076
SHA256 3520fec40273e0e2a2fd1d7f080172b680a060b4c374665c2165cd2de04edf7f
SHA512 df13e63e25c589bfdf53b9d16325f18ee5f39250fac9f53926ef221dcc2bd7790a4fb834b731bb29be6aa103616bedd0ccd5dfcf6df977c30c2b9a6970a7244e

memory/2512-999-0x0000000000400000-0x000000000053F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst9C60.tmp\modern-wizard.bmp

MD5 7f8e1969b0874c8fb9ab44fc36575380
SHA1 3057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256 076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA512 7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555