Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:58

General

  • Target

    10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi

  • Size

    40.6MB

  • MD5

    4e0c73259e83e8d5f36be55d4a937307

  • SHA1

    539d747d30c16f50ddf6b72da1426709edce5732

  • SHA256

    10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9

  • SHA512

    eaca63ff0faafdd6014864517a9fb92e82d970c99084d6cbf5b493b0b0ca6372541493f4c11b426c09b160369fb4da07d928d74a20078ab3e0743b54e5be99b5

  • SSDEEP

    786432:BxAq3kvG6v0/moop9AaRDEzVARzgsBBSs7ndpTp1Z4qaNrk+0/iClRu:cqUvL8/mfACxgUBSkdvAPy6CPu

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Windows Firewall 2 TTPs 4 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

  • Drops file in System32 directory 21 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 25 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:392
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5F5DB85C086DB8117A7155C1738DE34
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1916
    • C:\Program Files (x86)\pYkYZuRh.exe
      "C:\Program Files (x86)\pYkYZuRh.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1096
    • C:\Program Files (x86)\DsGtQhLH.exe
      "C:\Program Files (x86)\DsGtQhLH.exe"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1716
      • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
        "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
        3⤵
        • Executes dropped EXE
        PID:3008
      • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
        "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Executes dropped EXE
        • Modifies system certificate store
        PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c netsh advfirewall firewall Delete rule name=lets
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall Delete rule name=lets
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c netsh advfirewall firewall Delete rule name=lets.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall Delete rule name=lets.exe
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall Delete rule name=LetsPRO.exe
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall Delete rule name=LetsPRO
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2956
      • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
        "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
        3⤵
        • Executes dropped EXE
        PID:2764
      • C:\Program Files (x86)\letsvpn\LetsPRO.exe
        "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2888
        • C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe
          "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"
          4⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1652
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1388
            • C:\Windows\SysWOW64\netsh.exe
              netsh interface ipv4 set interface LetsTAP metric=1
              6⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ipconfig /all
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1780
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:1464
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C route print
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2368
            • C:\Windows\SysWOW64\ROUTE.EXE
              route print
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1488
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C arp -a
            5⤵
            • Network Service Discovery
            • System Location Discovery: System Language Discovery
            PID:1816
            • C:\Windows\SysWOW64\ARP.EXE
              arp -a
              6⤵
              • Network Service Discovery
              • System Location Discovery: System Language Discovery
              PID:1056
          • C:\Windows\SysWOW64\netsh.exe
            C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2644
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2856
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "0000000000000564"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2760
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4785cad3-e345-1789-9bad-3f4a3d8f383f}\oemvista.inf" "9" "6d14a44ff" "0000000000000574" "WinSta0\Default" "00000000000003DC" "208" "c:\program files (x86)\letsvpn\driver"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5c471caf-e6b1-16ef-f1bb-3b035b645212} Global\{367e1d7d-a35c-68f7-18f9-aa28a85b602c} C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.cat
      2⤵
        PID:2104
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000060" "0000000000000608"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1448
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "0000000000000574" "00000000000005FC" "0000000000000608"
      1⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2032
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:1668

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f789aec.rbs

        Filesize

        5KB

        MD5

        e378f8903b614f0bf3477268917ef72d

        SHA1

        baf28e5621b13557779e61d03ec59d771459c155

        SHA256

        ae728743388e6c7905dacefabfd51f76868a7f5a92f8cb4a65c96c8c7dc20275

        SHA512

        0fc187ca054f57ae73e8929903c8eb9a739298b588b6a3183a21a1e7ff6af270ab425feb37608d6fed70dd502234d82f74e060fcef09a0f7f51e803eb8c49653

      • C:\Program Files (x86)\1

        Filesize

        6.0MB

        MD5

        a589ea47d27781243203497042014ee3

        SHA1

        02af54d118fdb181247e76a79a3acfbb074bf6ea

        SHA256

        d25b465e1a59b452605512566d4417cb44a72d07b989f8cb276849bf4f66ac52

        SHA512

        baed6eda05efb91f65812e117730bd3d6587166667dc3b7e2f1f3c802a713829b5b6c9c0287fe37267e4a4a5f941776aa49adcbe45ffa1da99e9b73c99b0a09e

      • C:\Program Files (x86)\Common Files\DsGtQhLH.lnk

        Filesize

        878B

        MD5

        20b022ca5682bad9fc77a100531b7b43

        SHA1

        0f0348527ffe70907e0189696ffee55547c88868

        SHA256

        6fe31003727b98e901d31dd75309bc4d46dc2670e2315544b8e459bba41b5473

        SHA512

        349af6776f2552935f4208c2f605f8348ee5b3e3ffda9dd25749f2337f190bae3c0d395991961a9776cbe5b8858df4f8c7eb00766e21bc5fcd1517c68e569311

      • C:\Program Files (x86)\DsGtQhLH.exe

        Filesize

        14.5MB

        MD5

        9c44be4ceac0c983a812fd8459511fd0

        SHA1

        bd5aaad4acd523cd2855e8b50a8380365d81e041

        SHA256

        b6750a3631413d71d7ea10292a11e5d0560afb6ccd4ad4baa75d7dc80842f153

        SHA512

        372ddeb1045d49e8f98f17bccffb0e3edc2179e541f8a4493300517327e514c7bf64557250e0f84f7366310a3d7a58a8d5480596f9be075b3f5d9411a49b4d09

      • C:\Program Files (x86)\MSVCP100.dll

        Filesize

        412KB

        MD5

        ed40615aa67499e2d2da8389ba9b331a

        SHA1

        09780d2c9d75878f7a9bb94599f3dc9386cf3789

        SHA256

        cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

        SHA512

        47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

      • C:\Program Files (x86)\MSVCR100.dll

        Filesize

        756KB

        MD5

        ef3e115c225588a680acf365158b2f4a

        SHA1

        ecda6d3b4642d2451817833b39248778e9c2cbb0

        SHA256

        25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

        SHA512

        d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

      • C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe

        Filesize

        1.4MB

        MD5

        38973dbbfad9619fde39fab919eb9a04

        SHA1

        09c0b7ec430092c41a576565d8cf8e9df40e12fe

        SHA256

        e7806cd45b774d640bfd1f92e0893d28b87117a9dc25edb490da4449d57ca8ac

        SHA512

        fed73ef38f0008ab93589a6f525866a3f73ce9b090e41482dc4933dadc6f1bce1a26990e8f44704e934528d71e6887d0d44bb38f8b5402cf4c9b2880f16eea67

      • C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe.config

        Filesize

        22KB

        MD5

        3b1d12693ee14f307d7e8b1f08ae23c0

        SHA1

        82719e54b457a4e5cc57b33714e67fc0305b6e90

        SHA256

        0b2a37670105e8d30fe0c4aecfad876f669663834a6c91bc89e309fb609032b7

        SHA512

        ac7b99e0fb2e7d656dfc8e5df1fad58e4446c854e6d1d05a48dbd5fe93ab4978c3b206d828d8bcfc874eff0981886be4ae72e063aaccf895959d7cd5456a5e95

      • C:\Program Files (x86)\letsvpn\driver\OemVista.inf

        Filesize

        7KB

        MD5

        26009f092ba352c1a64322268b47e0e3

        SHA1

        e1b2220cd8dcaef6f7411a527705bd90a5922099

        SHA256

        150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

        SHA512

        c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

      • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

        Filesize

        99KB

        MD5

        1e3cf83b17891aee98c3e30012f0b034

        SHA1

        824f299e8efd95beca7dd531a1067bfd5f03b646

        SHA256

        9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

        SHA512

        fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

      • C:\Program Files (x86)\libcurl.dll

        Filesize

        19.4MB

        MD5

        9ff980feb6fccdb08ab3fe6fc5e428f1

        SHA1

        3c60d0fa914291da59a3cc883becd0ea26c1f26a

        SHA256

        d0cdc6b3747195a88b6918926f488215396970aa342e14d6ea819919d274a381

        SHA512

        989d76d721963f46386350c08b4e7a50a52e16d9fc92bc13c7f1fa20997a9aa35a8f144564af9f483b0e3f2fd32d436adfa84cb8638e9c408a79960b6da38618

      • C:\Program Files (x86)\pYkYZuRh.exe

        Filesize

        129KB

        MD5

        7ea6be30e745e9556c017439c5e83273

        SHA1

        4e36ae4f8bb1c6a438f8cc6952ec840415b5d9f2

        SHA256

        5a3e4e68ffa8e8796ec0ff3d01473ceafa070dc533a1c268d073ee7abd6c8021

        SHA512

        0a17f4e6e60932282cb28823a77c5ebef7a8c8ee472f00c9ef9eebb0481886647faa698f2c2e193db095c6467f6e41307aff96030fadd3072ba700c1e1e45724

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        50bbdd18853ba060a6b5e3ccc993f22b

        SHA1

        48cb1663cf0429db05c974970bff55670b296f04

        SHA256

        9b960712d37bbda946ce840eeef2d299232b7e40c96b0a5e15f1db5e103f24d6

        SHA512

        b462116da520298f6cddc6bcd8c1aca14e94ca354ace8017f9f3f49637acde562b0466215a52f92030be88deb9aa3d5b149bd96df1a4d80dfadde5b4b41ba394

      • C:\Users\Admin\AppData\Local\Temp\Cab27FC.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\Tar281F.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\nspB118.tmp\modern-wizard.bmp

        Filesize

        51KB

        MD5

        7f8e1969b0874c8fb9ab44fc36575380

        SHA1

        3057c9ce90a23d29f7d0854472f9f44e87b0f09a

        SHA256

        076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

        SHA512

        7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

      • C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF

        Filesize

        8KB

        MD5

        c703871ed483fed1b9f8912f2cc6a918

        SHA1

        6584a63dba15d50f843e3415978792a1c89ae770

        SHA256

        d47297606ef52d61be79e765e8606d67bfef363ee1745c7848ca148f4f36c5f9

        SHA512

        b3ab7b37f40ac00d141edfc024a4c6b27fdbf2390f190da4f0e8644d5ffad069a1ca144bde1b00c7e71d20886b701186bd992e9cc283649e4c7887bf13c6f50c

      • C:\Windows\System32\DriverStore\INFCACHE.1

        Filesize

        1.4MB

        MD5

        1effae4c5442cf75e7f1675525c74c46

        SHA1

        85d5256f13d88403e4b742b3ae4ec87b5395f70b

        SHA256

        cdaaba5e4e2c97577a5c39160be5978ee61b4aad261f5db492ecfeb97114758a

        SHA512

        da873b03035f0da64a35489cb39f8ff83d2b150e625406e543c308de4d041a6f99bca0d89c1078422ec8ab58ade340e8418ff16c591451017dc00f6b3a4cc34b

      • C:\Windows\Temp\Cab2A9B.tmp

        Filesize

        29KB

        MD5

        d59a6b36c5a94916241a3ead50222b6f

        SHA1

        e274e9486d318c383bc4b9812844ba56f0cff3c6

        SHA256

        a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

        SHA512

        17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

      • C:\Windows\Temp\Tar2ADD.tmp

        Filesize

        81KB

        MD5

        b13f51572f55a2d31ed9f266d581e9ea

        SHA1

        7eef3111b878e159e520f34410ad87adecf0ca92

        SHA256

        725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

        SHA512

        f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

      • C:\Windows\inf\oem2.PNF

        Filesize

        8KB

        MD5

        9c70c57bd0f63094ca036bb2b4c5ea2a

        SHA1

        6f26dd6be73f3f78ae5d8c89425351afbe967f55

        SHA256

        2dae52e378374571ed09836122b04ba934dd6023c13051ecfe9ca06486a49d86

        SHA512

        52bab7eb115f7e60a993d1593e112ca7ac580ffb656e8b7b5b40a2063e9be4ea14af2d17a9210f091bf026992f6e592f9ee002c4cb75c9b8f00432a1fb10db85

      • \??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

        Filesize

        30KB

        MD5

        b1c405ed0434695d6fc893c0ae94770c

        SHA1

        79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

        SHA256

        4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

        SHA512

        635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

      • \??\c:\program files (x86)\letsvpn\driver\tap0901.cat

        Filesize

        9KB

        MD5

        4fee2548578cd9f1719f84d2cb456dbf

        SHA1

        3070ed53d0e9c965bf1ffea82c259567a51f5d5f

        SHA256

        baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

        SHA512

        6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

      • \Program Files (x86)\letsvpn\LetsPRO.exe

        Filesize

        240KB

        MD5

        ea9e2f517b1cc2dbe7f78302dd7fb593

        SHA1

        cb326eeee062bfc20be4d07fa989b001811fc03c

        SHA256

        b1037f963c91ab0f586349d5aede8e25686784f46f031dfc422e0d69a9939f48

        SHA512

        d8d38e5243ff8f8e3f790c3587bf0360afd7dd185886da86ad7ad6111eed121e91eca18bac9563ea4e6984c46f88639f58a2073884567ca982383ec2cf32f0eb

      • \Program Files (x86)\letsvpn\app-3.8.0\Utils.dll

        Filesize

        126KB

        MD5

        d615a49b867921d097b87f5653d06da8

        SHA1

        9475f5bd2517a71d68388f04a247725814bb0a39

        SHA256

        ca0a071afff810cae52cce1def9456d4ddb8ca1a165a4b0aae16951a6f337542

        SHA512

        1986d66a9638d0cc998ee0534fe9443a41f8988aca226770934c5a9b7157931ec8c456ff0034ec63ef32da842d6bae31d97003ab5d65f3a7e51c2773dc758cbe

      • \Users\Admin\AppData\Local\Temp\nspB118.tmp\System.dll

        Filesize

        11KB

        MD5

        75ed96254fbf894e42058062b4b4f0d1

        SHA1

        996503f1383b49021eb3427bc28d13b5bbd11977

        SHA256

        a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

        SHA512

        58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      • \Users\Admin\AppData\Local\Temp\nspB118.tmp\nsDialogs.dll

        Filesize

        9KB

        MD5

        ca95c9da8cef7062813b989ab9486201

        SHA1

        c555af25df3de51aa18d487d47408d5245dba2d1

        SHA256

        feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

        SHA512

        a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

      • \Users\Admin\AppData\Local\Temp\nspB118.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        3d366250fcf8b755fce575c75f8c79e4

        SHA1

        2ebac7df78154738d41aac8e27d7a0e482845c57

        SHA256

        8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

        SHA512

        67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

      • \Windows\Installer\MSI9E53.tmp

        Filesize

        408KB

        MD5

        0901970c2066aed8a97d75aaf1fd3146

        SHA1

        f0c700a4bfcebad9843e01a88bab71b5f38996d8

        SHA256

        41f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773

        SHA512

        00e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733

      • memory/1096-102-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1096-80-0x00000000000D0000-0x00000000000D1000-memory.dmp

        Filesize

        4KB

      • memory/1096-110-0x00000000029F0000-0x0000000002A28000-memory.dmp

        Filesize

        224KB

      • memory/1096-111-0x00000000029F0000-0x0000000002A28000-memory.dmp

        Filesize

        224KB

      • memory/1096-105-0x00000000029F0000-0x0000000002A28000-memory.dmp

        Filesize

        224KB

      • memory/1096-103-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1096-104-0x00000000029F0000-0x0000000002A28000-memory.dmp

        Filesize

        224KB

      • memory/1096-101-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1096-99-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1096-100-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1096-88-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1096-85-0x0000000010000000-0x0000000011E5A000-memory.dmp

        Filesize

        30.4MB

      • memory/1096-84-0x00000000000D0000-0x00000000000D1000-memory.dmp

        Filesize

        4KB

      • memory/1096-75-0x00000000000C0000-0x00000000000C1000-memory.dmp

        Filesize

        4KB

      • memory/1096-77-0x00000000000C0000-0x00000000000C1000-memory.dmp

        Filesize

        4KB

      • memory/1096-79-0x00000000000C0000-0x00000000000C1000-memory.dmp

        Filesize

        4KB

      • memory/1096-82-0x00000000000D0000-0x00000000000D1000-memory.dmp

        Filesize

        4KB

      • memory/1096-123-0x0000000003430000-0x0000000003D57000-memory.dmp

        Filesize

        9.2MB

      • memory/1652-890-0x0000000000F10000-0x0000000000F18000-memory.dmp

        Filesize

        32KB

      • memory/1652-1036-0x0000000006180000-0x0000000006194000-memory.dmp

        Filesize

        80KB

      • memory/1652-884-0x0000000000320000-0x000000000032A000-memory.dmp

        Filesize

        40KB

      • memory/1652-885-0x0000000005210000-0x00000000052C2000-memory.dmp

        Filesize

        712KB

      • memory/1652-886-0x0000000000D50000-0x0000000000D6E000-memory.dmp

        Filesize

        120KB

      • memory/1652-887-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

        Filesize

        104KB

      • memory/1652-888-0x0000000000F60000-0x0000000000F6A000-memory.dmp

        Filesize

        40KB

      • memory/1652-889-0x0000000001350000-0x0000000001376000-memory.dmp

        Filesize

        152KB

      • memory/1652-891-0x00000000049D0000-0x00000000049DA000-memory.dmp

        Filesize

        40KB

      • memory/1652-882-0x00000000001F0000-0x0000000000214000-memory.dmp

        Filesize

        144KB

      • memory/1652-892-0x00000000049F0000-0x00000000049FA000-memory.dmp

        Filesize

        40KB

      • memory/1652-893-0x00000000052D0000-0x00000000052DA000-memory.dmp

        Filesize

        40KB

      • memory/1652-895-0x0000000005350000-0x0000000005360000-memory.dmp

        Filesize

        64KB

      • memory/1652-894-0x00000000052E0000-0x0000000005306000-memory.dmp

        Filesize

        152KB

      • memory/1652-897-0x00000000053F0000-0x00000000053FA000-memory.dmp

        Filesize

        40KB

      • memory/1652-896-0x00000000053F0000-0x00000000053FA000-memory.dmp

        Filesize

        40KB

      • memory/1652-974-0x0000000005A50000-0x0000000005A62000-memory.dmp

        Filesize

        72KB

      • memory/1652-883-0x0000000000230000-0x0000000000276000-memory.dmp

        Filesize

        280KB

      • memory/1652-1035-0x0000000006150000-0x0000000006162000-memory.dmp

        Filesize

        72KB

      • memory/1652-1034-0x0000000006020000-0x0000000006028000-memory.dmp

        Filesize

        32KB

      • memory/1652-1037-0x00000000061A0000-0x00000000061A8000-memory.dmp

        Filesize

        32KB

      • memory/1652-1040-0x000000006BAE0000-0x000000006C547000-memory.dmp

        Filesize

        10.4MB

      • memory/1652-1043-0x000000002F2B0000-0x000000002F2C0000-memory.dmp

        Filesize

        64KB

      • memory/1652-1046-0x000000002F3A0000-0x000000002F3B6000-memory.dmp

        Filesize

        88KB

      • memory/1652-1047-0x000000002F480000-0x000000002F490000-memory.dmp

        Filesize

        64KB

      • memory/1652-1050-0x000000002F8D0000-0x000000002F92C000-memory.dmp

        Filesize

        368KB

      • memory/1652-1053-0x000000000E960000-0x000000000E97E000-memory.dmp

        Filesize

        120KB

      • memory/1652-1054-0x00000000053F0000-0x00000000053FA000-memory.dmp

        Filesize

        40KB

      • memory/1652-1055-0x000000002F310000-0x000000002F342000-memory.dmp

        Filesize

        200KB

      • memory/1652-1056-0x00000000053F0000-0x00000000053FA000-memory.dmp

        Filesize

        40KB

      • memory/1652-1113-0x000000006BAE0000-0x000000006C547000-memory.dmp

        Filesize

        10.4MB

      • memory/1652-1280-0x000000006BAE0000-0x000000006C547000-memory.dmp

        Filesize

        10.4MB

      • memory/1652-1392-0x000000006BAE0000-0x000000006C547000-memory.dmp

        Filesize

        10.4MB

      • memory/1652-1393-0x000000006BAE0000-0x000000006C547000-memory.dmp

        Filesize

        10.4MB

      • memory/1652-878-0x0000000001380000-0x00000000014EE000-memory.dmp

        Filesize

        1.4MB

      • memory/2032-826-0x0000000000CB0000-0x0000000000CD6000-memory.dmp

        Filesize

        152KB