82d2b932388d56ec91a12abb4f0fc323452d0de4e16ee1e93385feb89eb61973

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

letsvpnx64.exe
Size

28.4MB
MD5

0fde5e207deeaa9c2bb7046d57055360
SHA1

bcab3b5c7eb0bacdecca53c92c6ce71fd3787487
SHA256

82d2b932388d56ec91a12abb4f0fc323452d0de4e16ee1e93385feb89eb61973
SHA512

5340d2f437714e274252996f1cd92c61128ba8daadda08284ad5c1b3ec84913acdc2d2278746314bed9ebe23254ffbfdf9926ebed319fe644e46b91eee23c41a
SSDEEP

786432:7Z9ViIHvw/aqAMugW2C2CFw0cu3peqDKPS:7JH4aqAL9F5ZeqOS

Score

8^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET3736.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET3736.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DxpT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DxpT.exe

Executes dropped EXE 5 IoCs

pid	Process
272	letsvpnx64.tmp
1148	DxpT.exe
1532	LetsPRO.exe
2272	LetsPRO.exe
2628	tapinstall.exe

Loads dropped DLL 64 IoCs

pid	Process
2456	letsvpnx64.exe
272	letsvpnx64.tmp
272	letsvpnx64.tmp
272	letsvpnx64.tmp
1148	DxpT.exe
1148	DxpT.exe
1148	DxpT.exe
1532	LetsPRO.exe
1532	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
1556	cmd.exe
1556	cmd.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\DxpT = "C:\\LetsPRO3.1.9.2 3hAz6vXUCD\\appres\\DxpT.exe"	DxpT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\LetsPRO3.1.9.2 3hAz6vXUCD\\app-3.9.0\\LetsPRO.exe\" /silent"	LetsPRO.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2116	cmd.exe
1076	ARP.EXE

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\SETEC34.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\SETEC35.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\SETEC23.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\SETEC35.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\SETEC34.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\SETEC23.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpnx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DxpT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpnx64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DxpT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DxpT.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DxpT.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	DxpT.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DxpT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DxpT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DxpT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DxpT.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1840	ipconfig.exe

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32008 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\LetsPRO3.1.9.2 3hAz6vXUCD\\app-3.9.0\\LetsPRO.exe\",1"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol"	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\LetsPRO3.1.9.2 3hAz6vXUCD\\app-3.9.0\\LetsPRO.exe"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\LetsPRO3.1.9.2 3hAz6vXUCD\\app-3.9.0\\LetsPRO.exe\" \"%1\""	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon	LetsPRO.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	LetsPRO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c6921900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c0400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a414000000010000001400000032eb929aff3596482f284042702036915c1785e61800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	LetsPRO.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
272	letsvpnx64.tmp
272	letsvpnx64.tmp
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	LetsPRO.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2332	rundll32.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeBackupPrivilege	2992	vssvc.exe
Token: SeRestorePrivilege	2992	vssvc.exe
Token: SeAuditPrivilege	2992	vssvc.exe
Token: SeBackupPrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	2420	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	848	DrvInst.exe
Token: SeLoadDriverPrivilege	848	DrvInst.exe
Token: SeLoadDriverPrivilege	848	DrvInst.exe
Token: SeLoadDriverPrivilege	848	DrvInst.exe
Token: SeRestorePrivilege	2628	tapinstall.exe
Token: SeLoadDriverPrivilege	2628	tapinstall.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeRestorePrivilege	1924	DrvInst.exe
Token: SeLoadDriverPrivilege	1924	DrvInst.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
272	letsvpnx64.tmp
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe
2272	LetsPRO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 2456 wrote to memory of 272	2456	letsvpnx64.exe	30
PID 272 wrote to memory of 1148	272	letsvpnx64.tmp	32
PID 272 wrote to memory of 1148	272	letsvpnx64.tmp	32
PID 272 wrote to memory of 1148	272	letsvpnx64.tmp	32
PID 272 wrote to memory of 1148	272	letsvpnx64.tmp	32
PID 1148 wrote to memory of 1532	1148	DxpT.exe	33
PID 1148 wrote to memory of 1532	1148	DxpT.exe	33
PID 1148 wrote to memory of 1532	1148	DxpT.exe	33
PID 1148 wrote to memory of 1532	1148	DxpT.exe	33
PID 1532 wrote to memory of 2272	1532	LetsPRO.exe	34
PID 1532 wrote to memory of 2272	1532	LetsPRO.exe	34
PID 1532 wrote to memory of 2272	1532	LetsPRO.exe	34
PID 1532 wrote to memory of 2272	1532	LetsPRO.exe	34
PID 2272 wrote to memory of 1556	2272	LetsPRO.exe	36
PID 2272 wrote to memory of 1556	2272	LetsPRO.exe	36
PID 2272 wrote to memory of 1556	2272	LetsPRO.exe	36
PID 2272 wrote to memory of 1556	2272	LetsPRO.exe	36
PID 1556 wrote to memory of 2628	1556	cmd.exe	38
PID 1556 wrote to memory of 2628	1556	cmd.exe	38
PID 1556 wrote to memory of 2628	1556	cmd.exe	38
PID 1556 wrote to memory of 2628	1556	cmd.exe	38
PID 2420 wrote to memory of 2332	2420	DrvInst.exe	40
PID 2420 wrote to memory of 2332	2420	DrvInst.exe	40
PID 2420 wrote to memory of 2332	2420	DrvInst.exe	40
PID 2272 wrote to memory of 860	2272	LetsPRO.exe	46
PID 2272 wrote to memory of 860	2272	LetsPRO.exe	46
PID 2272 wrote to memory of 860	2272	LetsPRO.exe	46
PID 2272 wrote to memory of 860	2272	LetsPRO.exe	46
PID 860 wrote to memory of 1660	860	cmd.exe	48
PID 860 wrote to memory of 1660	860	cmd.exe	48
PID 860 wrote to memory of 1660	860	cmd.exe	48
PID 860 wrote to memory of 1660	860	cmd.exe	48
PID 2272 wrote to memory of 1864	2272	LetsPRO.exe	49
PID 2272 wrote to memory of 1864	2272	LetsPRO.exe	49
PID 2272 wrote to memory of 1864	2272	LetsPRO.exe	49
PID 2272 wrote to memory of 1864	2272	LetsPRO.exe	49
PID 1864 wrote to memory of 1840	1864	cmd.exe	51
PID 1864 wrote to memory of 1840	1864	cmd.exe	51
PID 1864 wrote to memory of 1840	1864	cmd.exe	51
PID 1864 wrote to memory of 1840	1864	cmd.exe	51
PID 2272 wrote to memory of 1592	2272	LetsPRO.exe	52
PID 2272 wrote to memory of 1592	2272	LetsPRO.exe	52
PID 2272 wrote to memory of 1592	2272	LetsPRO.exe	52
PID 2272 wrote to memory of 1592	2272	LetsPRO.exe	52
PID 1592 wrote to memory of 2960	1592	cmd.exe	54
PID 1592 wrote to memory of 2960	1592	cmd.exe	54
PID 1592 wrote to memory of 2960	1592	cmd.exe	54
PID 1592 wrote to memory of 2960	1592	cmd.exe	54
PID 2272 wrote to memory of 2116	2272	LetsPRO.exe	55
PID 2272 wrote to memory of 2116	2272	LetsPRO.exe	55
PID 2272 wrote to memory of 2116	2272	LetsPRO.exe	55
PID 2272 wrote to memory of 2116	2272	LetsPRO.exe	55
PID 2116 wrote to memory of 1076	2116	cmd.exe	57
PID 2116 wrote to memory of 1076	2116	cmd.exe	57
PID 2116 wrote to memory of 1076	2116	cmd.exe	57
PID 2116 wrote to memory of 1076	2116	cmd.exe	57
PID 2272 wrote to memory of 1808	2272	LetsPRO.exe	58
PID 2272 wrote to memory of 1808	2272	LetsPRO.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\letsvpnx64.exe
"C:\Users\Admin\AppData\Local\Temp\letsvpnx64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\is-MMG10.tmp\letsvpnx64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MMG10.tmp\letsvpnx64.tmp" /SL5="$301C4,28941214,737280,C:\Users\Admin\AppData\Local\Temp\letsvpnx64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\LetsPRO3.1.9.2 3hAz6vXUCD\appres\DxpT.exe
    "C:\LetsPRO3.1.9.2 3hAz6vXUCD\appres\DxpT.exe" xWSvuI
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\LetsPRO3.1.9.2 3hAz6vXUCD\LetsPRO.exe
      "C:\LetsPRO3.1.9.2 3hAz6vXUCD\LetsPRO.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\LetsPRO.exe
        
        "C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\LetsPRO.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ""C:\LetsPRO3.1.9.2 3hAz6vXUCD\driver\tapinstall.exe" install "C:\LetsPRO3.1.9.2 3hAz6vXUCD\driver\oemVista.inf" tap0901"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\LetsPRO3.1.9.2 3hAz6vXUCD\driver\tapinstall.exe
        
        "C:\LetsPRO3.1.9.2 3hAz6vXUCD\driver\tapinstall.exe" install "C:\LetsPRO3.1.9.2 3hAz6vXUCD\driver\oemVista.inf" tap0901
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=1
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh interface ipv4 set interface LetsTAP metric=1
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:1076
      - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1808

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1f96e5c6-3c51-2471-5ff9-293c8b88d045}\oemvista.inf" "9" "6d14a44ff" "00000000000003D4" "WinSta0\Default" "00000000000004D4" "208" "c:\letspro3.1.9.2 3haz6vxucd\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{42354ad7-2cf0-6972-3a01-03599cbc4058} Global\{1c3987af-7d0e-3cd3-c7e9-ef4e472aec66} C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{710e1e1e-d6d5-15f8-ee16-6856656e5f3f}\tap0901.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005FC" "00000000000005F8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "00000000000003D4" "00000000000005F0" "0000000000000600"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LetsPRO3.1.9.2 3hAz6vXUCD\LetsPRO.exe

Filesize
240KB

MD5
86d955ce77a147098f9bc7648bc1ed9e

SHA1
2b6abc9645d77279ae4c0329901c8b0781a566dd

SHA256
8f98c3a8d0f3b7c8186cdb56b082986d86637386c2dcce1006c658972b32f3da

SHA512
4991d5f7e260e71b584b19d51ae986c8fcef1c7867ddea2ca44aed38e2083193409bf5046d0fc3077dcc422bcad3211b69b0ce987411b55a37e5c63c1ace31d1

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\CommunityToolkit.Mvvm.dll

Filesize
109KB

MD5
dfe09bc93d85a91f424c6401e33051b6

SHA1
c30ef46ceef3f3b3135d58da4925d1aea38b3203

SHA256
9214df29fcefe144f2ecf908cf9f2169e49e91fa56b1ec3223a4b184ff5f612c

SHA512
b05b756b3b63455d870c03790178c2c6f7234cd4b25f6dedf47f249fd2a30a844a031af97e2d22f37a5999981614a3ef0e0d8748a05448987d72073c86afeb48

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\LetsPRO.exe.config

Filesize
22KB

MD5
ebaeca4375f9cc819ff3835ba62717de

SHA1
819d4ad83729d709a3ed6172e2c608af70de3d03

SHA256
a12e73eb35a51a227afd1318edb824a77cbe60d2fbf67e1463404c0673e42d9c

SHA512
311d6aa1a8608b327bfa97cb77e4e21a44946438f60c6c2fc9e0bf9ef97434138d0136ca1d55c7d836d72a03cebec63beefd974219ab8ea580eddf3e23e76d3f

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\LetsVPNInfraStructure.dll

Filesize
23KB

MD5
ae5033063d375120c813fe2a49820727

SHA1
d23641a2909b60db763952435c54efa8f6bd4db7

SHA256
a081ed96055cbb0082b1c15bf092c4888cff3a1f76bc56746c7913667fdf9822

SHA512
b00720240aa6961b628d016dc4e60d58182f42831f1e2a9707f85f300e11ea1263e34f2048246dcba392146ff014ae300cb307eba0052edd8fb752d9b9fc8896

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\Log\Lets.log

Filesize
151KB

MD5
0a5cb21416e37938d9c562e413dbb409

SHA1
1de4366f324918385df9e29ed0e961353b5d97df

SHA256
cdd21b953249a6a3086681fc0a3ea5dfa8f450a984f7a4015e689a1a8a9b530d

SHA512
7a6b28b7b38923c79ad9cf1fce707ebbab61d30df5fa0848f3b820ef0ef1a3b16c0307a51c866e66197126f218021e11fadf8158baf8f9e0b8a7f4754446448b

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\Microsoft.AppCenter.Crashes.dll

Filesize
50KB

MD5
c22e4163814d805f8503a717641eb9c0

SHA1
849fc76d91c12e0c462807a6552b05c3383d6b78

SHA256
d6cc029f1501ecede81c7934ce32484942421df8036a8812f231d07a49ca5f9f

SHA512
4997b949cfe6684679988ad699a0152c7f6b85324486e3b9c89ff9395d566833490d519a03e8c354b2a00c039dc3effff957c1e6c38fb8c7ca8d49caf774c9bc

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\Newtonsoft.Json.dll

Filesize
693KB

MD5
44bf96b5782fb6c3723189464ce376a9

SHA1
d78d67bace31a428b38125d313a42fa9f6e6a0bf

SHA256
d738252b00f38b0d9421a5c7b4195b65710eac996df1efc4877664735d7b2ace

SHA512
36058bf73de1da1a81bb1eb15dc2b847a0172595fa3de23edfe3b96275ce6ede5fbc8987640af4b8179d93c7964491aeef8ba42993fcab260b753bed0177b27f

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\System.Runtime.InteropServices.RuntimeInformation.dll

Filesize
21KB

MD5
11f1dec2f83f2e832e56a0e32f83feaa

SHA1
27ec65236be02507ad70708333fe503adb07cabe

SHA256
a4e2e16ad23e6874783ca18d42bd119b7a18e77b6ca66374d5b62f961e83c83b

SHA512
35d8435d25478613081cb165bf566a2b2071efdac4309ac0be367681882f0aaa019240a15285d959a44f09ebedac64a63fb70e09dd3007c81675cab889005a78

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\libwin.dll

Filesize
10.2MB

MD5
31dc3b6908dc8064a57d4ac304eadd15

SHA1
5cb8d2a8efc7d286e235f92d3c84478fa7e21e6b

SHA256
dd20e8ac57d70710e1d51159fec47ef626a133f1a57fd0e721a0706c1a1af11e

SHA512
fe82c1a8517cc13d25714ef1eb347291360681ec69c2e0b79a826a16bbe58518dea12f63848f3c72c7499c046c0043d9cb9d2dfbd04ebf1622a136ceb589ef0f

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\log4net.config

Filesize
3KB

MD5
28f9077c304d8c626554818a5b5f3b3a

SHA1
a01f735fe348383795d61aadd6aab0cc3a9db190

SHA256
746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90

SHA512
485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\appres\CKeyboardH.dll

Filesize
4.4MB

MD5
45ce1e82b9f95ac7c105b699cb2e6f39

SHA1
33a382af1b0b3664ce85bba0b264031aea7a2c45

SHA256
74356364ffcade38b0ba7fdeed6cd12640f6614223bbbd53fde619efbe068183

SHA512
97220c8c9e9955af16a7ae853ef817044cf1174bd6f5a661544aac40fb3fcf47b2a1e6204afeb9fe94cabc3157c265afc86ceac84421ca09d238bc040b9f0f30

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\appres\DxpT.b5hn

Filesize
4.0MB

MD5
807362caa90c6becd11a92dd8c515785

SHA1
0a0b069e88829f26f661428eb0ef360c0314c53a

SHA256
aea72e8f5682ce41f8ee2e16016c1c45f5471190238219cfc34e692b4f04a4d8

SHA512
cf52fb68d26963082acda91b343ccef62fd7ab69e4293ab2847438001819a0b37edc910d65cca36e7c8386a7e81d054b941bc39c98b846f61165245158e133f6

Download Submit
C:\LetsPRO3.1.9.2 3hAz6vXUCD\appres\DxpT.txt

Filesize
20B

MD5
add3ff2b782b2b517c310ed0247ea040

SHA1
81b7ee141fff642645c6b8d7485fdc16f06f618d

SHA256
9991c377d32b01f598e2a88f8f952e48d1a24441f29343248fa1f787df31eb8b

SHA512
b853eb57aafea8552ab2aa680bb65a5a8ac1f5ad0062108533466ee92b5e56430adade7b06768ed93d106cbd145c9c5cc5193bf27b666489ac27631c186f91d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4cda0bbdef9d9992524478a5845592e

SHA1
9b387027abb324d19ed7d500a7ace023d75d70d9

SHA256
0d9224c23f9104c25563363feba58db68d587bf9c030786e7df97357bda95fea

SHA512
b099857d75c7639ebdd9ae458fce3333ad41e226def8f0f223c474efaf39449994e1a1232b810fb942e69f7cab503a71031650caea7503bc4f84390af37a84a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b78c2168ce886906cdc68f9dfc217b10

SHA1
da38fb63df8887fab2a8f49ee1ed1e1db74c39f4

SHA256
c55108343f43330a017989f829706717773140906d6762e05d4e1943945ec3b0

SHA512
e18d4caeac5f11acc20176772ae92953c643cabc6ff4f5a28600966dc437707feb4fb2fe195eed806589871705bc92e2544291ec2f7628d4bfd7b01b0b7e638a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE68A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE69D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\background_finish.png

Filesize
97KB

MD5
7283313fe367a89d0808e39fb1e47f81

SHA1
07a5874fd4316e0c394731581eb10120897e89c8

SHA256
4c92a60bcc398d33b37eea83d0a55fd061ababc421ae9fc7cc95fe1fa08ccff1

SHA512
469dece9fdcbdea5f101a3e3a1f28f860267a4ff2b25c4c566f07cea61633237487eca6e56654aa1f1af49d0cb36d63c584d3ad7ad97ae3b923d5cef0ab58c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\background_installing.png

Filesize
220KB

MD5
e94efbc23400ff1adfe2e4355e604259

SHA1
5d8644a3ab7b639c92bcc0d3c1cbb37cecc2017a

SHA256
ec645f3bc2a89caf3e1ebc82eb8ce0c029d7db52e59b6c0a5e66fadf7bdeae29

SHA512
cddf6b338587cb4d2450fa54673bd3800bcaa171172c12003cc6af81c3c5edf99c2ea47a0d59e7546d8ce2f0214802299218b6d659a04037f32e0a4386b0674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\background_messagebox.png

Filesize
4KB

MD5
d1a4f5ba76b7e7a702f13fbd9bbb76c7

SHA1
2c8e3fbf70f0a89a833c3607fface79a9072d324

SHA256
bcd3b5b4f4fb5a956a6ad14236567dcb1117b621713c50483433d7af1011e724

SHA512
6afc8c206f4cc9969bcc4ba373f05742ea318733891a145ef580f4116170c9fcab4479d8955e58f23d3cf445fdc9ed5eceabd086ce2324fc751f5bbb89d9d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\background_welcome.png

Filesize
88KB

MD5
ccd3871adda014e14bd5ceaf83ed55a0

SHA1
0fd7fff6b9927244bcc325f99569a3577825093e

SHA256
4bd52ad6490a023145628ccc3e6820183b605c22558510422c8bdb49552f5cb1

SHA512
7001a63edee879c29aeb8065913f81914639bc5f1c4b7525133ce63d84e9ed953c2d4f51d2d9c2d39e20f5f5b6e4b491c30272314496906dffc11729e1c86958

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_browse.png

Filesize
13KB

MD5
d724d25b757d8f203cd6777da8cd17a8

SHA1
51ac4866ba5550c73512a05fa4cccf36beb05a61

SHA256
78114fdef066f771aa842a682f0e71deb06b98a1b065689611814ba165460fc0

SHA512
183b1eccbf901f21ef992df79024b6bd2fa49e5e6599298ddeed9dfdb647d58a6407b519f5eeebc9a2c4eb6c9afb12e80ee5f3233d8ad7f8145496d569737fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_cancel.png

Filesize
6KB

MD5
fb8e04322eee99db624e395d969dbc59

SHA1
4ac99299b54c657c0d40679fc6e4f3840638ca58

SHA256
e5a6d0c5f16ca8bebd882dfac1b77336b477ea22f7b22bde72580824dd2d94e9

SHA512
90020fe26f252e4277235eed8f91da5754373f0fdcde0cff6c7bcf8ece5c2ee66c952ef884a69664fe412c55ea9cae1933fad1a0d9c626bdd836e6a177cef0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_close.png

Filesize
3KB

MD5
2b29884a02b398ef5b3d4cb2db1e5c34

SHA1
a8f7e6525378b22185a0bd3010d1b86fca1a9c2f

SHA256
789e0fd796fa36c23f053acc85dbcc1c03035f93b92cce76840811d8b898b025

SHA512
9093d8c0910118c3dbc1170b183738530fd7bdace1d0e7f839fcee701a807de17d9c1da5d2b9da06ac7ec9b0c89db99f3461c4ae5c553a52c22cfb413ee41883

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_customize_setup.png

Filesize
10KB

MD5
9fd5cf39cb1d65a7dd9fc7396fc03550

SHA1
41179665031dc8031197ee7450fc49b3efba052f

SHA256
adf67d4817b7061ef2ceb74375e1216908df908b4da839a70c275c66f4130193

SHA512
a951745de5fe3925add368eeaf57e6e67a7fa021df2289a3e6b64313890f60fc1a7e5aee49fa489cf268b63cad27c0d78daee1679a518aab4b25bcb9c8498a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_finish.png

Filesize
15KB

MD5
ad97fd4c6b284c686ad23f3212d7389c

SHA1
4e82f8151a7b58f7a9afa8d6f6db97684c78c2a9

SHA256
411caa8d2b27c64c092d0e673e4ae06fdef0d7d50e31dfb1b3b3f51d38cc2253

SHA512
cff27c4b705ac0bd44cc58d58496d54477da8bbc9ed6b4ad1ff5c05940654c1ad35be8d8ef6f136f5e9e96789b9ed62a2b0c83daef28c18f3224ea5a368ed86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_license.png

Filesize
11KB

MD5
410c7780e6700028ab373f9efe75f728

SHA1
4c6eb2e50b83e2bc8f58aa0b643a549028b16603

SHA256
16f20688f713c3bee746bd0d745f843c99f6c360f71b44aa5713f9d5fae2cf75

SHA512
0e63f245dc8e8799376b3f7e33da5a2f40e3788b7e1541e07e8e171b91c6e4dd0a0f9bca0a02cd6d4e34618bcc112bea29d2d99e19e44aac3a8ad5029e9ef790

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_minimize.png

Filesize
3KB

MD5
53377fd010771582b62621793237d97c

SHA1
7028bce353330e3fc2cfe0e3c94a9cb7c1f116e7

SHA256
7967738a3a3bd46f2c128eb9d66183c93dbb56cf51e08aa439162f999fc952a1

SHA512
a62a7813d60429b7532797f53878acac02975bd13524c496626219180f498033127870659cc96f4fecbcd67976140b904443e93d3a193d149027906f5dcb15d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_ok.png

Filesize
6KB

MD5
558e7219fc377b63365513c4e017cf24

SHA1
ac508857ab9657abc0f731ff09712bbafadd1f0b

SHA256
43818ff077e39e82519171f9525ba3be84e584252d42946733a07a3f39455466

SHA512
dfdec62bf1e1cf0f6f0eb9c825e75bcf1d7eacb7925acf8b4e19fd4f382cb95e8e01c14fde3cc58c9e47d26b296c34dfb469c42d1aa67670ad511a3698ee31f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_setup_or_next.png

Filesize
16KB

MD5
f759680e272b5fc9e60738b7dbbbc623

SHA1
defcdd008ddb3a3d5e4da4824f6114649c2e2c23

SHA256
ea9a1ac0057cf97ff422d306526ea3d73345673bd82f4fdffc2c4313fdb74b31

SHA512
cb2dc79e28edeaaa415653165e23c21236a6535bec6737349d5e9af69e5f92531d1c7da9ff55df10a09bc7731ab15fd4385d6436e78dd7a00792a0848c54eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\button_uncustomize_setup.png

Filesize
10KB

MD5
aa5886c0e8b173955df656efbcbc00d4

SHA1
a05b410e756d4b2b6c30a448a55777691c55b2dd

SHA256
7b4577498af66c8f3b2e69f65a36306395826fbfd21c8e8b227ab760c793b5d1

SHA512
15d74e888d5490478da9b5e429509cb864fdbc7ac0ad368353b5043fd07923e2d7ead94907ccb458b84f19022d8be1def8bed5c58866d20181206792be7b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\checkbox_RunApp.png

Filesize
18KB

MD5
d940cc6ffe0711645658760a85fd7205

SHA1
34d0bece8d647c23cf22d736ab5d07c0514ffabe

SHA256
87ebac7c4c2120f7e12be062da1c225c7b180aabc2682a6be3ae18f3cdd5198c

SHA512
a89197a2b18bdc9955b11fe2fce449c5ff6c5cd2d6f53af75c9a0494018a6fc59ef7f1bec2c494520970967606a79072e77853d6d0c76393de50d684a54b3614

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\checkbox_license.png

Filesize
27KB

MD5
e1ca6a42984d8b7ededb48a3f7133791

SHA1
b1c13e402f939ac9f00a795482a6f4b80b27a5bd

SHA256
023cca5e5bbab5aed27e5290d91a14573a0178d8cfaac73d402221c78c5f013d

SHA512
80a93ae1ffc67593faa28c8043135d92b6cc4bddc830a285c2e176c09450b391b4189e9bb060fb93002c236e69f4c48a247946b8169bb97c6b3f42ee07e45d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\progressbar_background.png

Filesize
283B

MD5
04dca3926efaa3851fd98aecb4315ef8

SHA1
8d431629c573a370df73741ad010463af635b8bd

SHA256
648c2e85e064672bb47b3750215470e1b7ea3e4217f777c6faa35446d449b4cf

SHA512
a54930c6a019236eb2ef3b38fe214f5a57645ca58c5896dd702256254279842413c9f4c7e8d60418f270a94f80ca7246a5d3a433503048ebd07ef7d5ddd774c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\progressbar_foreground.png

Filesize
286B

MD5
2205f8b79ffdd37af080e444c424e513

SHA1
95294bf76c00cf8677119a204046182887c0ec8d

SHA256
d2ce48f668bfeee1500c9aaafba2cfbc8ee7c3c34ec2afec3140aa1d5ff22b57

SHA512
1be8de0c734e96bd81664b74c40cc1e174c9cad93ed3a6af403be3f32c227faeaee02398108e3a87a7a56cbfac963f996de2bc9495024f47715ecc3dbeca7c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1f96e5c6-3c51-2471-5ff9-293c8b88d045}\oemvista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1f96e5c6-3c51-2471-5ff9-293c8b88d045}\tap0901.cat

Filesize
10KB

MD5
f73ac62e8df97faf3fc8d83e7f71bf3f

SHA1
619a6e8f7a9803a4c71f73060649903606beaf4e

SHA256
cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b

SHA512
f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1f96e5c6-3c51-2471-5ff9-293c8b88d045}\tap0901.sys

Filesize
38KB

MD5
c10ccdec5d7af458e726a51bb3cdc732

SHA1
0553aab8c2106abb4120353360d747b0a2b4c94f

SHA256
589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253

SHA512
7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
ac40ef66e97a6f9ed67fc86dc5f0b270

SHA1
ab90ce9ffb7c230c9aee58e47cd9f6344a8800ed

SHA256
c0ca85255c1503fbd9f01020c3444e0224989316f990ebcfd74e2d9038b3c99d

SHA512
f8b23ef6f988a76f75cbafa1f1d5063a5400333bf369c3033976e0c2c90f5d3cadc513243436d504f9474ca8ab5064f4b81c617150852c62db186d2e4edcfcae

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\LetsPRO.exe

Filesize
1.4MB

MD5
ed9d8b44698bbc5e02a04e4f6c5a3678

SHA1
a2f7bfdbcd6c20151bc9296ea2fe65f9f14798e9

SHA256
1d8631769a0bdf5ed263493dfa579d4af634fc944c7afa638b357952a5fd64b7

SHA512
cc003dfe4e5ef801f179f19537fd438d22f7080bd7df2799e0e10fb7c71475c7c2e2a5525243b25f6b6ed5cd0431830dc6a6c5cb9bbe0f9855b6da52a3d58cc4

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\LetsVPNDomainModel.dll

Filesize
21KB

MD5
b8ab11073f53a6312529489434f76db9

SHA1
26d497e6bc5227f193acfd9d3d4987c1326514e7

SHA256
7171bc86ad77ad2abceaa61f199d3958f6864450868ab9ae3acce381dce1c0bb

SHA512
05c734c3f5b660bdc37e2ad24201be4377a21d86be9d3f4aed2411eae4113f9c9ffa0fec43a79453b166af9e5e8e041c69019ed9f10c30fb8e295286321d3c90

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\Microsoft.AppCenter.Analytics.dll

Filesize
22KB

MD5
6f1f7a516e67c908d8c90c5b30f301f4

SHA1
b058c21249cd561e16a56a0e1f6f61d44983aaec

SHA256
b39d33fdce42f0a05bfa300f7563ed75fb3e0f2a4826a1f4c01ba6dd83cc48c5

SHA512
10c23637fe87963ebe65119f4059c715b05accea5b14c4d3d98ca4c1046b164e093ec8db9c7a5a7f2a9f8e4ce055a5f534f11b86d1c4afef94110a8abb7d38c1

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\Microsoft.AppCenter.dll

Filesize
138KB

MD5
08e9fb0153dd4065528f1d92e0e8f6b7

SHA1
a22cc2ecafb9e05bb4f1afe0f5fbd7072594f6e0

SHA256
f7451c33199518f39dc1f592529f1054cb9b85369c1a9ed67cb7506c6ffad3b4

SHA512
24db36e577884fee8d23b22f8bb950cd078dcab871aa0d7580ae47c0811908f8e81ae39f968c99da0c001362dffcb3b103cfab415fc7a8c1491dda69b604473a

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\System.Buffers.dll

Filesize
21KB

MD5
77bb70791e61ac8edd227a9ffb34ce34

SHA1
966cf5c7c5be06c11eb7cef8d40250d3f8fe498b

SHA256
2299c772cd3676f79568d4d94c7b9a4ac8b60a5c98b84568d714a6cc77a91315

SHA512
f6ef04cdbe8a27c994ca39b506a4b3b84144f2af0637d70ff7db4c79bd06c183bb3719cfb61c1f669fe2183eb49706e19ce214f205384022822f26c74e86fc17

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\System.Memory.dll

Filesize
138KB

MD5
fb29c7f3049f3ac34e92699ba264fc5b

SHA1
b2b39d86a2aac4043c3a734b87ec59e8cc4abe70

SHA256
b482c6937515c7e19c97ac653475c138f01ed2475478690230b4ac3ab8cd0984

SHA512
f2adb1ae1878bb72afb000a67876fbfbf068c067ebc8a7156d274390ed7ea90d659a4918eac3ae53c78d3552905ac8e4077b95447ad246e71872bb2cea76558f

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\System.Runtime.CompilerServices.Unsafe.dll

Filesize
18KB

MD5
311207903ae3b461eeaf73c1e1ce7470

SHA1
7ef8daac87248f0bc144c3334496ebd2dc89aafe

SHA256
73ab48609cde990826dcb9ac54b0f439a98dc7dbf3021e527903d010565f8c21

SHA512
8bd9bc218663aa85aba0d9097ae969a73923cf185d6446654be42111c4b32472e403f123c462bd5f4fa38a2ed8094996c7a523441499f4e3344b16fe935afcee

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\Utils.dll

Filesize
126KB

MD5
d144ac9b53c174ae896d54a5ce7ad9af

SHA1
62be56006381323045af6d2bc4cf28445fcf18d5

SHA256
7569d9dde7ff3efc6c82c797e44aa67cdf8e055476c873b192675a38fbd903e9

SHA512
b26f278340440ef2cd2dad53e3e6eac5a78c49e2c8bd2af52539824d14d626f264442d5f587859b288bf0e1de26033319bfca43ac52f195ab7bfd2bc6f8e411a

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\app-3.9.0\log4net.dll

Filesize
273KB

MD5
dc4917fb4953fb82ac01305a18605cd7

SHA1
80ae67800377253afe571f8af59b476264edcca6

SHA256
453b9086a5aab3deb2513de2dd5b21216eb3a9bf2f2c81393891b93e7e5e0fc4

SHA512
d97223d256bf3ce30a504ab986564dff31f498c80d1815b4f8454f6ae8d0c55c9054fde7b80b85df4276fc08e3a1ae2b682960912984eaa1299c8b22308db120

Download Submit
\LetsPRO3.1.9.2 3hAz6vXUCD\appres\DxpT.exe

Filesize
34KB

MD5
dde4e4e601e8b0e7d1621167b709adb4

SHA1
cf152fff93d8bfc7bcde44e41954a36600c4c599

SHA256
53a5ebfe5356da897d550be1017f0c7334d8d9971288abf1398661e288cd983a

SHA512
f9b561ea64f374fa3548a09e26a00ea07baa2fd2d328ebc3668e793c4ebd6c44e8f66f04634a8e3f87b6888f60cc4eb663d073f4384a49b8a435dcc56a6ac8a4

Download Submit
\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-BRUQQ.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-MMG10.tmp\letsvpnx64.tmp

Filesize
2.9MB

MD5
d2aa17505a2b50839cc302dcc9a76f93

SHA1
60c60e7bcfebf721eb8aef58d31c1453a59798cb

SHA256
89bf1d0d4a9a039098ce74632ccd634b30c1f837acea9ab6360d2b50a578c258

SHA512
d4b51c25a14667c0f285ec7907f5483db07cfb8875214de4f6c9bcdae349ef3119ac1fd810b424357ea624c3d4b85e3901eeb7e82a30198dcc4cc95681f4b406

Download Submit
memory/272-125-0x0000000003D50000-0x0000000003D65000-memory.dmp

Filesize
84KB

Download
memory/272-53-0x0000000003AB0000-0x0000000003ABF000-memory.dmp

Filesize
60KB

Download
memory/272-124-0x0000000003AB0000-0x0000000003ABF000-memory.dmp

Filesize
60KB

Download
memory/272-8-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/272-654-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/272-60-0x0000000003D50000-0x0000000003D65000-memory.dmp

Filesize
84KB

Download
memory/272-126-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1148-672-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-675-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-925-0x0000000001D30000-0x00000000021B7000-memory.dmp

Filesize
4.5MB

Download
memory/1148-924-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1148-673-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-668-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-707-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-720-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-667-0x0000000003020000-0x000000000343A000-memory.dmp

Filesize
4.1MB

Download
memory/1148-659-0x0000000001D30000-0x00000000021B7000-memory.dmp

Filesize
4.5MB

Download
memory/1148-1434-0x0000000001D30000-0x00000000021B7000-memory.dmp

Filesize
4.5MB

Download
memory/1924-1190-0x0000000000140000-0x0000000000166000-memory.dmp

Filesize
152KB

Download
memory/2272-702-0x0000000002170000-0x000000000218A000-memory.dmp

Filesize
104KB

Download
memory/2272-684-0x0000000000230000-0x0000000000276000-memory.dmp

Filesize
280KB

Download
memory/2272-737-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2272-711-0x00000000042C0000-0x00000000042E6000-memory.dmp

Filesize
152KB

Download
memory/2272-735-0x0000000005870000-0x0000000005896000-memory.dmp

Filesize
152KB

Download
memory/2272-715-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2272-731-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/2272-738-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/2272-739-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/2272-719-0x00000000042F0000-0x00000000042FA000-memory.dmp

Filesize
40KB

Download
memory/2272-706-0x00000000021A0000-0x00000000021AA000-memory.dmp

Filesize
40KB

Download
memory/2272-1508-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-848-0x00000000061E0000-0x00000000061F2000-memory.dmp

Filesize
72KB

Download
memory/2272-887-0x00000000063D0000-0x00000000063D8000-memory.dmp

Filesize
32KB

Download
memory/2272-886-0x00000000063A0000-0x00000000063B4000-memory.dmp

Filesize
80KB

Download
memory/2272-885-0x0000000006270000-0x0000000006282000-memory.dmp

Filesize
72KB

Download
memory/2272-884-0x0000000006210000-0x0000000006218000-memory.dmp

Filesize
32KB

Download
memory/2272-701-0x0000000002150000-0x000000000216E000-memory.dmp

Filesize
120KB

Download
memory/2272-695-0x0000000004DC0000-0x0000000004E72000-memory.dmp

Filesize
712KB

Download
memory/2272-690-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2272-916-0x000000000EBD0000-0x000000000EBE0000-memory.dmp

Filesize
64KB

Download
memory/2272-918-0x000000002ED20000-0x000000002ED30000-memory.dmp

Filesize
64KB

Download
memory/2272-917-0x000000000EBE0000-0x000000000EBF6000-memory.dmp

Filesize
88KB

Download
memory/2272-724-0x0000000004350000-0x000000000435A000-memory.dmp

Filesize
40KB

Download
memory/2272-680-0x00000000001A0000-0x00000000001C4000-memory.dmp

Filesize
144KB

Download
memory/2272-926-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-923-0x0000000005A00000-0x0000000005A32000-memory.dmp

Filesize
200KB

Download
memory/2272-676-0x00000000009A0000-0x0000000000B0E000-memory.dmp

Filesize
1.4MB

Download
memory/2272-1043-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/2272-1154-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1505-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1502-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1191-0x000000002FFE0000-0x000000003003C000-memory.dmp

Filesize
368KB

Download
memory/2272-1192-0x000000002EDE0000-0x000000002EDFE000-memory.dmp

Filesize
120KB

Download
memory/2272-1197-0x00000000062E0000-0x00000000062F0000-memory.dmp

Filesize
64KB

Download
memory/2272-1198-0x00000000062F0000-0x000000000632A000-memory.dmp

Filesize
232KB

Download
memory/2272-1199-0x0000000006330000-0x0000000006340000-memory.dmp

Filesize
64KB

Download
memory/2272-1204-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1317-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1428-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1432-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1499-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1489-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2272-1496-0x000000006AFC0000-0x000000006BA2B000-memory.dmp

Filesize
10.4MB

Download
memory/2456-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2456-122-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2456-657-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2456-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download