1a2e029e9910f3a3aee454b44f28db7f2a4e6078a108e92876483cff08769825

Analysis

max time kernel
210s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IesVpn-winx64.exe
Size

36.3MB
MD5

680e7c4978fd2a85ebc5e7af6da2e2a8
SHA1

4a2b353da3a43a45fdfa2f121a01cec31ee9518a
SHA256

1a2e029e9910f3a3aee454b44f28db7f2a4e6078a108e92876483cff08769825
SHA512

1e16682d12763970366ef91448faf14aaea990011dab71865903c1e1de1dea33591cc27151670281b6bf4c0a3d625ee91eb71f937e7cc0d6354a65f17bea2cc6
SSDEEP

786432:3eDkNsEq0/QflO3w3wmYu0X6pwOOMuygT/hr2R+Q/:OANFsObmYGeOOtygTpr1Q/

Score

10^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4028 created 1428	4028	updervn.exe	113
PID 220 created 1904	220	VaLvczhal.exe	138

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETF8ED.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF8ED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	IesVpn-winx64.tmp
4028	updervn.exe
1052	VaLvczhal.exe
3048	VaLvczhal.exe
2540	LetsPRO.exe
4884	LetsPRO.exe
2920	VaLvczhal.exe
1144	tapinstall.exe
4492	VaLvczhal.exe
220	VaLvczhal.exe
3164	VaLvczhal.exe

Loads dropped DLL 64 IoCs

pid	Process
4028	updervn.exe
1052	VaLvczhal.exe
3048	VaLvczhal.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
4884	LetsPRO.exe
4884	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
4884	LetsPRO.exe
4884	LetsPRO.exe
4884	LetsPRO.exe
4884	LetsPRO.exe
4884	LetsPRO.exe
4884	LetsPRO.exe
2540	LetsPRO.exe
2920	VaLvczhal.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
4492	VaLvczhal.exe
220	VaLvczhal.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
3164	VaLvczhal.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LetVProtecter\\letsvpn\\app-3.9.0\\LetsPRO.exe\" /silent"	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	VaLvczhal.exe
File opened (read-only)	\??\T:	VaLvczhal.exe
File opened (read-only)	\??\Y:	VaLvczhal.exe
File opened (read-only)	\??\Z:	VaLvczhal.exe
File opened (read-only)	\??\B:	VaLvczhal.exe
File opened (read-only)	\??\H:	VaLvczhal.exe
File opened (read-only)	\??\L:	VaLvczhal.exe
File opened (read-only)	\??\N:	VaLvczhal.exe
File opened (read-only)	\??\O:	VaLvczhal.exe
File opened (read-only)	\??\V:	VaLvczhal.exe
File opened (read-only)	\??\X:	VaLvczhal.exe
File opened (read-only)	\??\G:	VaLvczhal.exe
File opened (read-only)	\??\J:	VaLvczhal.exe
File opened (read-only)	\??\K:	VaLvczhal.exe
File opened (read-only)	\??\M:	VaLvczhal.exe
File opened (read-only)	\??\E:	VaLvczhal.exe
File opened (read-only)	\??\I:	VaLvczhal.exe
File opened (read-only)	\??\S:	VaLvczhal.exe
File opened (read-only)	\??\W:	VaLvczhal.exe
File opened (read-only)	\??\P:	VaLvczhal.exe
File opened (read-only)	\??\Q:	VaLvczhal.exe
File opened (read-only)	\??\U:	VaLvczhal.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2124	cmd.exe
3508	ARP.EXE

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\SETE46B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\SETE46B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\SETE46C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\SETE46C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\SETE46D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}\SETE46D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a1237ac0-ab92-bf41-b051-2feb9c92ef8f}	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
4028	updervn.exe
4028	updervn.exe
1052	VaLvczhal.exe
1052	VaLvczhal.exe
3048	VaLvczhal.exe
3048	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
3048	VaLvczhal.exe
4492	VaLvczhal.exe
4492	VaLvczhal.exe
220	VaLvczhal.exe
220	VaLvczhal.exe
3164	VaLvczhal.exe
3164	VaLvczhal.exe
2920	VaLvczhal.exe
3164	VaLvczhal.exe
2920	VaLvczhal.exe
3164	VaLvczhal.exe
2920	VaLvczhal.exe
3164	VaLvczhal.exe
2920	VaLvczhal.exe
3164	VaLvczhal.exe
2920	VaLvczhal.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VaLvczhal\support_report.inf	VaLvczhal.exe
File created	C:\Windows\VaLvczhal\zlibai.dll	VaLvczhal.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\VaLvczhal\VaLvczhal.exe	VaLvczhal.exe
File opened for modification	C:\Windows\VaLvczhal\VaLvczhal.exe	VaLvczhal.exe
File created	C:\Windows\VaLvczhal\support_report.inf	VaLvczhal.exe
File opened for modification	C:\Windows\VaLvczhal\zlibai.dll	VaLvczhal.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IesVpn-winx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IesVpn-winx64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LetsPRO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LetsPRO.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3544	ipconfig.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LetVProtecter\\letsvpn\\app-3.9.0\\LetsPRO.exe\",1"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LetVProtecter\\letsvpn\\app-3.9.0\\LetsPRO.exe"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LetVProtecter\\letsvpn\\app-3.9.0\\LetsPRO.exe\" \"%1\""	LetsPRO.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 040000000100000010000000d79917c9aaf881346040f8afd3960af60f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 5c0000000100000004000000001000001900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be040000000100000010000000d79917c9aaf881346040f8afd3960af620000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	IesVpn-winx64.tmp
2716	IesVpn-winx64.tmp
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2920	VaLvczhal.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
5000	msedge.exe
5000	msedge.exe
60	msedge.exe
60	msedge.exe
5540	identity_helper.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeAuditPrivilege	2720	svchost.exe
Token: SeSecurityPrivilege	2720	svchost.exe
Token: SeDebugPrivilege	2540	LetsPRO.exe
Token: SeLoadDriverPrivilege	1144	tapinstall.exe
Token: SeRestorePrivilege	4780	DrvInst.exe
Token: SeBackupPrivilege	4780	DrvInst.exe
Token: SeLoadDriverPrivilege	4780	DrvInst.exe
Token: SeLoadDriverPrivilege	4780	DrvInst.exe
Token: SeLoadDriverPrivilege	4780	DrvInst.exe
Token: SeIncreaseQuotaPrivilege	2540	LetsPRO.exe
Token: SeSecurityPrivilege	2540	LetsPRO.exe
Token: SeTakeOwnershipPrivilege	2540	LetsPRO.exe
Token: SeLoadDriverPrivilege	2540	LetsPRO.exe
Token: SeSystemProfilePrivilege	2540	LetsPRO.exe
Token: SeSystemtimePrivilege	2540	LetsPRO.exe
Token: SeProfSingleProcessPrivilege	2540	LetsPRO.exe
Token: SeIncBasePriorityPrivilege	2540	LetsPRO.exe
Token: SeCreatePagefilePrivilege	2540	LetsPRO.exe
Token: SeBackupPrivilege	2540	LetsPRO.exe
Token: SeRestorePrivilege	2540	LetsPRO.exe
Token: SeShutdownPrivilege	2540	LetsPRO.exe
Token: SeDebugPrivilege	2540	LetsPRO.exe
Token: SeSystemEnvironmentPrivilege	2540	LetsPRO.exe
Token: SeRemoteShutdownPrivilege	2540	LetsPRO.exe
Token: SeUndockPrivilege	2540	LetsPRO.exe
Token: SeManageVolumePrivilege	2540	LetsPRO.exe
Token: 33	2540	LetsPRO.exe
Token: 34	2540	LetsPRO.exe
Token: 35	2540	LetsPRO.exe
Token: 36	2540	LetsPRO.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2716	IesVpn-winx64.tmp
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
2540	LetsPRO.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3164	VaLvczhal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 2716	3764	IesVpn-winx64.exe	87
PID 3764 wrote to memory of 2716	3764	IesVpn-winx64.exe	87
PID 3764 wrote to memory of 2716	3764	IesVpn-winx64.exe	87
PID 2716 wrote to memory of 4028	2716	IesVpn-winx64.tmp	109
PID 2716 wrote to memory of 4028	2716	IesVpn-winx64.tmp	109
PID 4028 wrote to memory of 1052	4028	updervn.exe	114
PID 4028 wrote to memory of 1052	4028	updervn.exe	114
PID 4376 wrote to memory of 3048	4376	cmd.exe	118
PID 4376 wrote to memory of 3048	4376	cmd.exe	118
PID 2540 wrote to memory of 1120	2540	LetsPRO.exe	126
PID 2540 wrote to memory of 1120	2540	LetsPRO.exe	126
PID 2540 wrote to memory of 1120	2540	LetsPRO.exe	126
PID 1120 wrote to memory of 1144	1120	cmd.exe	128
PID 1120 wrote to memory of 1144	1120	cmd.exe	128
PID 2720 wrote to memory of 3312	2720	svchost.exe	130
PID 2720 wrote to memory of 3312	2720	svchost.exe	130
PID 3048 wrote to memory of 4492	3048	VaLvczhal.exe	131
PID 3048 wrote to memory of 4492	3048	VaLvczhal.exe	131
PID 2920 wrote to memory of 220	2920	VaLvczhal.exe	132
PID 2920 wrote to memory of 220	2920	VaLvczhal.exe	132
PID 2720 wrote to memory of 4780	2720	svchost.exe	133
PID 2720 wrote to memory of 4780	2720	svchost.exe	133
PID 220 wrote to memory of 3164	220	VaLvczhal.exe	139
PID 220 wrote to memory of 3164	220	VaLvczhal.exe	139
PID 2540 wrote to memory of 3492	2540	LetsPRO.exe	141
PID 2540 wrote to memory of 3492	2540	LetsPRO.exe	141
PID 2540 wrote to memory of 3492	2540	LetsPRO.exe	141
PID 3492 wrote to memory of 3544	3492	cmd.exe	143
PID 3492 wrote to memory of 3544	3492	cmd.exe	143
PID 3492 wrote to memory of 3544	3492	cmd.exe	143
PID 2540 wrote to memory of 3064	2540	LetsPRO.exe	150
PID 2540 wrote to memory of 3064	2540	LetsPRO.exe	150
PID 2540 wrote to memory of 3064	2540	LetsPRO.exe	150
PID 3064 wrote to memory of 3724	3064	cmd.exe	146
PID 3064 wrote to memory of 3724	3064	cmd.exe	146
PID 3064 wrote to memory of 3724	3064	cmd.exe	146
PID 2540 wrote to memory of 2124	2540	LetsPRO.exe	147
PID 2540 wrote to memory of 2124	2540	LetsPRO.exe	147
PID 2540 wrote to memory of 2124	2540	LetsPRO.exe	147
PID 2124 wrote to memory of 3508	2124	cmd.exe	149
PID 2124 wrote to memory of 3508	2124	cmd.exe	149
PID 2124 wrote to memory of 3508	2124	cmd.exe	149
PID 2540 wrote to memory of 3064	2540	LetsPRO.exe	150
PID 2540 wrote to memory of 3064	2540	LetsPRO.exe	150
PID 2540 wrote to memory of 3064	2540	LetsPRO.exe	150
PID 2540 wrote to memory of 1916	2540	LetsPRO.exe	155
PID 2540 wrote to memory of 1916	2540	LetsPRO.exe	155
PID 2540 wrote to memory of 1916	2540	LetsPRO.exe	155
PID 1916 wrote to memory of 1852	1916	cmd.exe	157
PID 1916 wrote to memory of 1852	1916	cmd.exe	157
PID 1916 wrote to memory of 1852	1916	cmd.exe	157
PID 2540 wrote to memory of 60	2540	LetsPRO.exe	158
PID 2540 wrote to memory of 60	2540	LetsPRO.exe	158
PID 60 wrote to memory of 732	60	msedge.exe	159
PID 60 wrote to memory of 732	60	msedge.exe	159
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160
PID 60 wrote to memory of 1940	60	msedge.exe	160

C:\Users\Admin\AppData\Local\Temp\IesVpn-winx64.exe
"C:\Users\Admin\AppData\Local\Temp\IesVpn-winx64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\is-HUQNL.tmp\IesVpn-winx64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HUQNL.tmp\IesVpn-winx64.tmp" /SL5="$130042,36942677,735744,C:\Users\Admin\AppData\Local\Temp\IesVpn-winx64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Programs\LetVProtecter\updervn.exe
    "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\updervn.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\system32\winver.exe
      C:\Windows\system32\winver.exe
      4⤵
      PID:1300
  - - C:\Windows\system32\computerdefaults.exe
      C:\Windows\system32\computerdefaults.exe
      4⤵
      PID:1428
    - - C:\Users\Admin\AppData\Local\Programs\LetVProtecter\VaLvczhal.exe
        
        C:\Users\Admin\AppData\Local\Programs\LetVProtecter\VaLvczhal.exe 41265C0AAD964DDC431C9 4028 "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1052

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\VaLvczhal.exe" "682de61d43cc5c649c5c" 1052 "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Programs\LetVProtecter\VaLvczhal.exe
  "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\VaLvczhal.exe" "682de61d43cc5c649c5c" 1052 "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\VaLvczhal\VaLvczhal.exe
    C:\Windows\VaLvczhal\VaLvczhal.exe e4a4d38bf71981a8081 1052 "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4492

C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsPRO.exe
"C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsPRO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\driver\tapinstall.exe" install "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\driver\oemVista.inf" tap0901"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\driver\tapinstall.exe
    "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\driver\tapinstall.exe" install "C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\driver\oemVista.inf" tap0901
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ipconfig /all
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C route print
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\ROUTE.EXE
    route print
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3508
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C netsh wlan show hostednetwork
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show hostednetwork
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://d1gx3j8kwj94us.cloudfront.net/login?token=token_8a0ba86998670c0f578d9ee1f82d196c
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fc0c46f8,0x7ff9fc0c4708,0x7ff9fc0c4718
    3⤵
    PID:732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
    3⤵
    PID:1940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:5964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
    3⤵
    PID:5980
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9378788454160473071,13356587348117404341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5540

C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsPRO.exe
"C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsPRO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4884

C:\Windows\VaLvczhal\VaLvczhal.exe
"C:\Windows\VaLvczhal\VaLvczhal.exe" "84b87070105a684e7"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\VaLvczhal\VaLvczhal.exe
  "C:\Windows\VaLvczhal\VaLvczhal.exe" "cb1c9878ef15f86e4c"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\winver.exe
    C:\Windows\system32\winver.exe
    3⤵
    PID:1932
- - C:\Windows\system32\computerdefaults.exe
    C:\Windows\system32\computerdefaults.exe
    3⤵
    PID:1904
  - - C:\Windows\VaLvczhal\VaLvczhal.exe
      C:\Windows\VaLvczhal\VaLvczhal.exe 53F694EB799C14 220
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:3164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f5f85797-3b4a-d348-ad32-ef76da46aaaf}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\local\programs\letvprotecter\letsvpn\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3312
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:2420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
28bcf93ce50b6e8f22eac1ed57484f80

SHA1
90982c19ebc3acca3b8279437a85ed861c2cb75f

SHA256
62945ee32efd26c0601e115b17e8d122e945e6a4308ed5051ba98b860e3aa125

SHA512
0f16dee41e6567bfffeafd543aab9090efd138ada3768d129f0a14215661d220cabbddd203aec3161e1497c548b1aa59d0eec6dfa157e843e58350b1acf71367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
73fc1ab8d29360cba7f727b6d3b1f1ba

SHA1
70fd3953b4bbe583673d173557ef7d487f9c4e4e

SHA256
6ecbcf7be13cac3a062342df7627f92cedb3186d072101ae55787e8eab31068b

SHA512
65d894f002977466b1d5ab4ccb63037fd097338e53e9d3d4f871fc4f5bc148f10b0c1697d96f711a87ee05549d82dba216f32268043dd8dc690e05285a705a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad81e6604a7f4650ef7f2502be86659c

SHA1
0800f7271a9fa6130133d1f2dd57d94251874bdc

SHA256
e511b42aa4271fff8e8017e40a8bb0d6dd964138018d588d42dee657d2994936

SHA512
4e7d1273ec3440d6655f2430f5e12d8b7acd27612031e06459ed3fad38dbd6c3c9513f6c96dbc4cabc707ff347365814048ce3df4541015bf7b9de36cf52af31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3dd10b99e304c54a7598b48748a36fb4

SHA1
cfa33c758dbdb6b3666563629065afb43e39c2d0

SHA256
a37a4cc678043ecdc0b53de7b897e3448298b161b69e0cc7a660f0d845dd967b

SHA512
678a46d2caeb240dba8da6b6e3b7679745ee74c92c31eeb702e50cce22dfe8a0ab0be829d5273dac24024dbe185cbefaa9c2c88b0a69093b6673b794c593c13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d20c286e3a0f3debf14200c88876651f

SHA1
b30b298d6db8fff4a324282cf9f928996ce464ae

SHA256
81529bd4da1b12c55edbe84b0f92d23983c26cd1b73cc4812cfa693e089297da

SHA512
d7e0d10c1b1522bd57c1b518c8be0016d3a65921a3e942364fc0b01cf79a7ec1ed79451ebb31195d611cf67f855ba1282b9f01ecd5b8829e23654a625cba3b26

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\CommunityToolkit.Mvvm.dll

Filesize
109KB

MD5
dfe09bc93d85a91f424c6401e33051b6

SHA1
c30ef46ceef3f3b3135d58da4925d1aea38b3203

SHA256
9214df29fcefe144f2ecf908cf9f2169e49e91fa56b1ec3223a4b184ff5f612c

SHA512
b05b756b3b63455d870c03790178c2c6f7234cd4b25f6dedf47f249fd2a30a844a031af97e2d22f37a5999981614a3ef0e0d8748a05448987d72073c86afeb48

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsPRO.exe

Filesize
1.4MB

MD5
71f9f9c8a27965572a7ea9c8055232c1

SHA1
36748c1df3992eb5677c33b08f2ca56d901bb4cb

SHA256
eb3d30d96a5a2dedb003f2c3192b9d8d60a895b0c1f2c230e2a5498f711428b4

SHA512
28d12e00e46c7cc9c65b72d80cab58d4f0fcfdfa5037404081898ca94d71c1c7152cbb2ef6e36cab77f03f6a7a22478e91f892030e72799ab816edd0cb37fc30

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsPRO.exe.config

Filesize
22KB

MD5
ebaeca4375f9cc819ff3835ba62717de

SHA1
819d4ad83729d709a3ed6172e2c608af70de3d03

SHA256
a12e73eb35a51a227afd1318edb824a77cbe60d2fbf67e1463404c0673e42d9c

SHA512
311d6aa1a8608b327bfa97cb77e4e21a44946438f60c6c2fc9e0bf9ef97434138d0136ca1d55c7d836d72a03cebec63beefd974219ab8ea580eddf3e23e76d3f

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsVPNDomainModel.dll

Filesize
21KB

MD5
b8ab11073f53a6312529489434f76db9

SHA1
26d497e6bc5227f193acfd9d3d4987c1326514e7

SHA256
7171bc86ad77ad2abceaa61f199d3958f6864450868ab9ae3acce381dce1c0bb

SHA512
05c734c3f5b660bdc37e2ad24201be4377a21d86be9d3f4aed2411eae4113f9c9ffa0fec43a79453b166af9e5e8e041c69019ed9f10c30fb8e295286321d3c90

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\LetsVPNInfraStructure.dll

Filesize
23KB

MD5
ae5033063d375120c813fe2a49820727

SHA1
d23641a2909b60db763952435c54efa8f6bd4db7

SHA256
a081ed96055cbb0082b1c15bf092c4888cff3a1f76bc56746c7913667fdf9822

SHA512
b00720240aa6961b628d016dc4e60d58182f42831f1e2a9707f85f300e11ea1263e34f2048246dcba392146ff014ae300cb307eba0052edd8fb752d9b9fc8896

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\Microsoft.AppCenter.Analytics.dll

Filesize
22KB

MD5
6f1f7a516e67c908d8c90c5b30f301f4

SHA1
b058c21249cd561e16a56a0e1f6f61d44983aaec

SHA256
b39d33fdce42f0a05bfa300f7563ed75fb3e0f2a4826a1f4c01ba6dd83cc48c5

SHA512
10c23637fe87963ebe65119f4059c715b05accea5b14c4d3d98ca4c1046b164e093ec8db9c7a5a7f2a9f8e4ce055a5f534f11b86d1c4afef94110a8abb7d38c1

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\Microsoft.AppCenter.dll

Filesize
138KB

MD5
08e9fb0153dd4065528f1d92e0e8f6b7

SHA1
a22cc2ecafb9e05bb4f1afe0f5fbd7072594f6e0

SHA256
f7451c33199518f39dc1f592529f1054cb9b85369c1a9ed67cb7506c6ffad3b4

SHA512
24db36e577884fee8d23b22f8bb950cd078dcab871aa0d7580ae47c0811908f8e81ae39f968c99da0c001362dffcb3b103cfab415fc7a8c1491dda69b604473a

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\Newtonsoft.Json.dll

Filesize
693KB

MD5
44bf96b5782fb6c3723189464ce376a9

SHA1
d78d67bace31a428b38125d313a42fa9f6e6a0bf

SHA256
d738252b00f38b0d9421a5c7b4195b65710eac996df1efc4877664735d7b2ace

SHA512
36058bf73de1da1a81bb1eb15dc2b847a0172595fa3de23edfe3b96275ce6ede5fbc8987640af4b8179d93c7964491aeef8ba42993fcab260b753bed0177b27f

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\System.Buffers.dll

Filesize
21KB

MD5
77bb70791e61ac8edd227a9ffb34ce34

SHA1
966cf5c7c5be06c11eb7cef8d40250d3f8fe498b

SHA256
2299c772cd3676f79568d4d94c7b9a4ac8b60a5c98b84568d714a6cc77a91315

SHA512
f6ef04cdbe8a27c994ca39b506a4b3b84144f2af0637d70ff7db4c79bd06c183bb3719cfb61c1f669fe2183eb49706e19ce214f205384022822f26c74e86fc17

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\System.Memory.dll

Filesize
138KB

MD5
fb29c7f3049f3ac34e92699ba264fc5b

SHA1
b2b39d86a2aac4043c3a734b87ec59e8cc4abe70

SHA256
b482c6937515c7e19c97ac653475c138f01ed2475478690230b4ac3ab8cd0984

SHA512
f2adb1ae1878bb72afb000a67876fbfbf068c067ebc8a7156d274390ed7ea90d659a4918eac3ae53c78d3552905ac8e4077b95447ad246e71872bb2cea76558f

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\System.Runtime.CompilerServices.Unsafe.dll

Filesize
18KB

MD5
311207903ae3b461eeaf73c1e1ce7470

SHA1
7ef8daac87248f0bc144c3334496ebd2dc89aafe

SHA256
73ab48609cde990826dcb9ac54b0f439a98dc7dbf3021e527903d010565f8c21

SHA512
8bd9bc218663aa85aba0d9097ae969a73923cf185d6446654be42111c4b32472e403f123c462bd5f4fa38a2ed8094996c7a523441499f4e3344b16fe935afcee

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\System.Runtime.InteropServices.RuntimeInformation.dll

Filesize
21KB

MD5
11f1dec2f83f2e832e56a0e32f83feaa

SHA1
27ec65236be02507ad70708333fe503adb07cabe

SHA256
a4e2e16ad23e6874783ca18d42bd119b7a18e77b6ca66374d5b62f961e83c83b

SHA512
35d8435d25478613081cb165bf566a2b2071efdac4309ac0be367681882f0aaa019240a15285d959a44f09ebedac64a63fb70e09dd3007c81675cab889005a78

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\Utils.dll

Filesize
126KB

MD5
d144ac9b53c174ae896d54a5ce7ad9af

SHA1
62be56006381323045af6d2bc4cf28445fcf18d5

SHA256
7569d9dde7ff3efc6c82c797e44aa67cdf8e055476c873b192675a38fbd903e9

SHA512
b26f278340440ef2cd2dad53e3e6eac5a78c49e2c8bd2af52539824d14d626f264442d5f587859b288bf0e1de26033319bfca43ac52f195ab7bfd2bc6f8e411a

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\libwin.dll

Filesize
10.2MB

MD5
31dc3b6908dc8064a57d4ac304eadd15

SHA1
5cb8d2a8efc7d286e235f92d3c84478fa7e21e6b

SHA256
dd20e8ac57d70710e1d51159fec47ef626a133f1a57fd0e721a0706c1a1af11e

SHA512
fe82c1a8517cc13d25714ef1eb347291360681ec69c2e0b79a826a16bbe58518dea12f63848f3c72c7499c046c0043d9cb9d2dfbd04ebf1622a136ceb589ef0f

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\log4net.config

Filesize
3KB

MD5
28f9077c304d8c626554818a5b5f3b3a

SHA1
a01f735fe348383795d61aadd6aab0cc3a9db190

SHA256
746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90

SHA512
485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\app-3.9.0\log4net.dll

Filesize
273KB

MD5
dc4917fb4953fb82ac01305a18605cd7

SHA1
80ae67800377253afe571f8af59b476264edcca6

SHA256
453b9086a5aab3deb2513de2dd5b21216eb3a9bf2f2c81393891b93e7e5e0fc4

SHA512
d97223d256bf3ce30a504ab986564dff31f498c80d1815b4f8454f6ae8d0c55c9054fde7b80b85df4276fc08e3a1ae2b682960912984eaa1299c8b22308db120

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\p-try\is-17LL1.tmp

Filesize
1KB

MD5
915042b5df33c31a6db2b37eadaa00e3

SHA1
5aaf48196ddd4d007a3067aa7f30303ca8e4b29c

SHA256
48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0

SHA512
9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\pump\is-0Q5IL.tmp

Filesize
1KB

MD5
9befe7026bf915886cd566a98117c80e

SHA1
a95ab3a4b0e4bd978897f09b3b430a449da20a08

SHA256
3fe8d55a98dbf260eace67c00cf9bc53edb46234e840098a0b93df3096b97fb6

SHA512
b52ba143042812d6dd1031a12946afddb6e8f8ebbc7169c59c138d16aafc5e261aae92fe6b1ea94a3d80e39d2415c4b219710ef46939a2df135db24a0cf712fb

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\puppeteer-core\lib\cjs\puppeteer\api\is-5DCJ1.tmp

Filesize
10KB

MD5
4cccc7dd6d41548966764d4b150ebaf9

SHA1
9b12c67074a1146b3f9cb71578b6449d6c769333

SHA256
95ed23f5e0e9c970b2908928df8264087d11e31ea72663c32066a7cda4341261

SHA512
2285b88b12bfad1d36899d002f2999b88492571fc5d1c0631739908d39c5bdb4ebdf405d92b9aef26c1fa509e866e310bd6fffb1f00905e08eb57c0855de4edc

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\puppeteer-core\lib\esm\puppeteer\api\is-9RLJ0.tmp

Filesize
10KB

MD5
b3e85b60aa95528064a86c2bc3ccfbe1

SHA1
08af560d4568f7bd84e0a1878a580f6e77b42c58

SHA256
9fd1a2950ef3d1ae288a2349e2a4dc6bdfea7590e9f649c75763cd63552420b7

SHA512
cd495c838c0df68a2bd70ea68b8ba8c15c4d990cea96a51c964e63c949b14c0a5e2e72bb64f7b16006f968119e1af01433e44cc8b68aa22f3c7ee7d0cad92745

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\quasar\dist\api\is-568M4.tmp

Filesize
586B

MD5
f937506e30efadf9cad7de0f2e8b6ef4

SHA1
d329734bcca0d55faaeeb3d6ec7d18f21ec17ecf

SHA256
373ab4932e9b7e5e21492c2d79c807815a6cd3c8d3bb06d3a8228fbdca47ba83

SHA512
ca466f1bbf9ab876bc106ab726df8bad24fa800612ffb30c681973ab60a4883c51a196dae16b7fc1ee80b43b8532b9f2d768ca983f839ac0ba6d1874902fe633

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\quasar\src\components\spinner\is-ERII3.tmp

Filesize
57B

MD5
61a3de250bc0e73b428fef7bbc9a4a79

SHA1
2167d7ccd1d82320f05695981b19e3d2e2f6d627

SHA256
e1645da3725b5fc270935853235d7ab489b135f6ce1f71e6f577c1d1f30ab9de

SHA512
ea9499b4d33e9136c0d1540a878bf0c18513a84d4be14eac02f5d1591bfb002b8cd6af332bcaf2da58943da2d79a1a3c42f93a87baa800b7dca815c6b968bfb6

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\stream-http\node_modules\readable-stream\is-GU5F1.tmp

Filesize
2KB

MD5
a67a7926e54316d90c14f74f71080977

SHA1
d3622fac093fe1cbcb4d8e8d35801600b681fc45

SHA256
ec62dc96da0099b87f4511736c87309335527fb7031639493e06c95728dc8c54

SHA512
e61de704d5a76afd66b5d9b1c78f0a5afe9a846686ca2fb28c814a4a60dbe82a190ed4a6a2f31e09bf6d695b8ec178ebea9804593029c58c1b1bedd793324d13

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\stream-http\node_modules\readable-stream\is-M2JF1.tmp

Filesize
5KB

MD5
70b44945cec4643ca805d87f673fbd34

SHA1
f30fd9ba0fa4f12c900d1b7bb248aa568a72cc3c

SHA256
7a521e462d1c6f3b599c44637fb337bbf969dda311510a87236ec539a415331d

SHA512
586f0f2a46ae29e8dc0b5931e144d3b7536057cb0a6d2ecfc72544c5048a1fc9417d14fbdb45f33e21eef99a2a0e302a3c74d2f8e360573544c8328593053daa

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\stream-http\node_modules\readable-stream\is-MKLV8.tmp

Filesize
1KB

MD5
08365b138b43284489ecfbf6efd44a25

SHA1
1b97e91ac67fcbbd711dedd3b5c388c08489eeaa

SHA256
56e4e12a6934a2c4d36c7bf893f4d8aefa6c96f9ffcec357dfa6476e36c4f1f5

SHA512
85494ca6582db6aa3679f532c540f2075516628c02abd6fc827369cf8ec1f2ac66092ff815406d4670c7a33cadc62f34c2c478136953656ce85a7d5755f8c31e

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\stream-http\node_modules\readable-stream\lib\internal\streams\is-5VKGH.tmp

Filesize
49B

MD5
df20453c19af8406babdf987facd76d9

SHA1
0167a0dc72daab83989846563aae870f37549151

SHA256
72d46a15491627d8fb1489a47d03583cfe5c21902918016ab532b53e615e5a9a

SHA512
8004aca5efc10cf89bf41ecbb6586f9acd707ef3b789cc714043c48c0d47b6479d9d2c2fd9894aedc683edcb88fad8b28517d329417d6e2d0e2b639d964956d9

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\stream-http\node_modules\readable-stream\lib\internal\streams\is-BUQQP.tmp

Filesize
36B

MD5
76bae0aaca4d9c61a71995751b67448b

SHA1
90b89ec87417d1301e7615a3ba50b04626c2796c

SHA256
1e7903927df33aadb3659ecce55266c9c851da65ce6c8b723a60a305c1c5422c

SHA512
9be70625af9c47a3772622031cdc4ada6e009d9ddf71f7409109ef6b6adfb444414630897eab07f77bd268f66c9462d199cb72934e0bb4fdbbe614f16bb3de24

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\stream-http\node_modules\safe-buffer\is-J82K2.tmp

Filesize
1KB

MD5
badd5e91c737e7ffdf10b40c1f907761

SHA1
07d9563f6153658de124707787ff43f0458ab24a

SHA256
c7cc929b57080f4b9d0c6cf57669f0463fc5b39906344dfc8d3bc43426b30eac

SHA512
ef233f8db609b7025e2e027355ee0b5e7b65b537506412ca1a4d95e74f2be2fe284c3a3fa36cb9d85dbd1a35fe650fe14de5b4d93ab071f2024c1fc8cf40730e

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\string_decoder\is-ITGTC.tmp

Filesize
2KB

MD5
14af51f8c0a6c6e400b53e18c6e5f85c

SHA1
36791ee8e28518f9fb92b51ad9e4247708be9c55

SHA256
11f2aafb37d06b3ee5bdaf06e9811141d0da05263c316f3d627f45c20d43261b

SHA512
a7ffef419c24a9420ce268a6f3c7cca136bb47d2a33da37d08bd5ea213a3f58e9e28375ed3bb457ecf7c0c1b3f1434366da4e8bef219482fcf599d804575e5fb

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\string_decoder\lib\is-98O3U.tmp

Filesize
9KB

MD5
0d4d70ba095a2af4afd7069a295d2f6c

SHA1
440bd1828612d1e583e33a4ec304673a11c782af

SHA256
f1d36d47b2c579063392c1a68963467f2d4f51a069af09eb068d974c63ee3b37

SHA512
f527fcaa28387a43a4df21c3c2e43e001b036a179383a61c58e194a33f67ac3ce445ef692d21e8f79139374f4a0749d1cebd2cdb59a4d9b4d2ec71bffd8b3be2

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\string_decoder\node_modules\safe-buffer\is-R3AG3.tmp

Filesize
1KB

MD5
b1622ff2944ba3f13a1cf6fbcf0f9e3f

SHA1
f67b8decb99eed068f28c9ae56df08c21bf4c33d

SHA256
d58af21cb0518864d0c505742d1af71e5b5e1f142f4c0f27353aa0f431a616d4

SHA512
600b49f49832ee51ffd8f6c99616387d93bb1fc2afee71d2066f982e39080a1508999ef2e2bf714d5f6adabaa8b72d3c5cdb445c8c36b67064dd76b377b7f889

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\string_decoder\node_modules\safe-buffer\is-TQBU3.tmp

Filesize
500B

MD5
b55e2fba27745164c9cdb610293d470b

SHA1
bdf56f6d8cd14a6791c3a42f48e61d0a8ff660e8

SHA256
0bb53dcf379ffebc8f8baa2d2a4efc80be25f203509da73cc17864b97cb9556e

SHA512
22150dd9b47bf3f92f2417ad484d696c4567d95f35ea47ec61a710b1a10567df504358892f8b1e3fa7930d3c4424c09f90a84b2cb991fc5d3e33228ea50e1766

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\tar-stream\is-M1GSF.tmp

Filesize
72B

MD5
ee0590371028f8289cb74effdfb3d25e

SHA1
02d80878508b3687b56cc181c3953e596da53521

SHA256
0db9eceef5224dbc34c224c398b50eef4b99f937c80c81f660928615a248ed4f

SHA512
957c8510abeb083a1c69e4a13965be70699d10c11b37d00f6951d2be73c5eeb15df8355280e51e7bfff49e969acded8e8bb8c0f2fad8e57dae7535087afdf487

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\urllib\node_modules\lru-cache\is-4DQ9K.tmp

Filesize
765B

MD5
82703a69f6d7411dde679954c2fd9dca

SHA1
bb408e929caeb1731945b2ba54bc337edb87cc66

SHA256
4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

SHA512
3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\urllib\node_modules\socks-proxy-agent\node_modules\ms\is-KI4KA.tmp

Filesize
1KB

MD5
fd56fd5f1860961dfa92d313167c37a6

SHA1
884e84ebfddafd93b5bb814df076d2ebd1757ba8

SHA256
6652830c2607c722b66f1b57de15877ab8fc5dca406cc5b335afeb365d0f32c1

SHA512
2bec1efb4dc59fa436c38a1b45b3dbd54a368460bcbbb3d9791b65275b5dc3c71a4c54be458f4c74761dccb8897efaab46df5a407723da5c48f3db02d555d5b9

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\win-release\is-6SF8O.tmp

Filesize
1KB

MD5
a12ebca0510a773644101a99a867d210

SHA1
0c94f137f6e0536db8cb2622a9dc84253b91b90c

SHA256
6fb9754611c20f6649f68805e8c990e83261f29316e29de9e6cedae607b8634c

SHA512
ae79e7a4209a451aef6b78f7b0b88170e7a22335126ac345522bf4eafe0818da5865aae1507c5dc0224ef854548c721df9a84371822f36d50cbcd97fa946eee9

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\letsvpn\node_modules\yargs-parser\is-ATMQT.tmp

Filesize
731B

MD5
8fd106383180f7bbb8f534414fdf7d35

SHA1
47edc4b4e929248ad6e423bf3a6736c320a3277c

SHA256
365496ca1f56da40b23c9815fc40fa9005847b2f8f8fd1c1a4929ef25ec8cd1d

SHA512
113a0fb1a7939f59bf84a29a58e349870aa3bc85afadae428d631ac7ec8258bac8375fe31522f03e484debc562430603baeb7d28256719140a26ec5aca7e9104

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\support_report.inf

Filesize
10.6MB

MD5
b6188441b4a3c8447714a8c58b857e98

SHA1
94ec53d8473c3280c198eed210befdf901832a95

SHA256
72533edc34513092a6e73760647be67257a895e2c65876e8d03120dec1dfaf0c

SHA512
b9ae3af40d873eeea0dbf6f380e3fb8e622e13ada4e31c9d39fc2c53e1138ee790fe93c1483364ffd61551da9da4d8f60ffabb0731e916b270efe01c095975c1

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\updervn.exe

Filesize
5.8MB

MD5
66b93370d7a832f889acc395e3ec16c2

SHA1
1126912895968dbbb38a7e729f206b6c9aed346b

SHA256
f8d41f0b9c9764a826e0d40b3926ea8be2f3c551b0de9594e227e8681bcb0a69

SHA512
03684cac3fe5390d1a67e3cddf61789b9eb4e629987c9a6fff9b1d058f53a665184fc48b18713148bc11401e0c3f47c274a6700582745c57b23b0c8aada7cee1

Download Submit
C:\Users\Admin\AppData\Local\Programs\LetVProtecter\zlibai.dll

Filesize
9.6MB

MD5
45559ce094bc20305befef71b7f78535

SHA1
720b296a933ec0515c112bf475b72ff149fcf2a9

SHA256
b2d478df34d91bed5cd8caddbb79ce4678f300d4cff094bf3c5b4dcd03379912

SHA512
b9b7ff2a19d5e0a36425cd245d987f7e43cd1f7d3fe082a69dc4488c6b406e875daa662a324d0649040fb4b3e75d596ac8ac190d73c4dc7320a799dc9ad74b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yzwfmfk.00s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HUQNL.tmp\IesVpn-winx64.tmp

Filesize
2.9MB

MD5
b217b316699ff55e3f4a7cc97684e82c

SHA1
40bfd6fa9a558dbb52bc009d8dd933ac69bf1e2c

SHA256
68ac0e3a979eb3bb0350e50f779d9fbdcf619261fb3e31141dc946b5d5820531

SHA512
08164aed9743927d38e89f8dd00f4aa7be78f99c3ca687b334ba4c85bc7c029f5893a90329db02b292cc6d9b5b2eb682ad64d91dab3f93bed1767534bae4d46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f5f85797-3b4a-d348-ad32-ef76da46aaaf}\oemvista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f5f85797-3b4a-d348-ad32-ef76da46aaaf}\tap0901.cat

Filesize
10KB

MD5
f73ac62e8df97faf3fc8d83e7f71bf3f

SHA1
619a6e8f7a9803a4c71f73060649903606beaf4e

SHA256
cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b

SHA512
f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f5f85797-3b4a-d348-ad32-ef76da46aaaf}\tap0901.sys

Filesize
38KB

MD5
c10ccdec5d7af458e726a51bb3cdc732

SHA1
0553aab8c2106abb4120353360d747b0a2b4c94f

SHA256
589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253

SHA512
7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

Download Submit
C:\Users\Admin\Desktop\LetsVPN.lnk

Filesize
1KB

MD5
7507cf7f2388e445f95a8b10b06e56eb

SHA1
8087780b296daf0ec5f60c47e7362da8b7b095a3

SHA256
4622e653345f3f76f3eb4ab22aa1e6c35ccff3082ca6b1f89dc09506c62118c9

SHA512
8ef8ae57a339622cce4e95a9a6786c884e5fe74f2843a626f4af4a1a3e0fa50efa7da8321630d5c70331d31c8686fac7d6c2c2e695490a977928630c59711586

Download Submit
memory/1052-7663-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/1052-7656-0x000002277A7C0000-0x000002277B96A000-memory.dmp

Filesize
17.7MB

Download
memory/1052-7655-0x000002277A7C0000-0x000002277B96A000-memory.dmp

Filesize
17.7MB

Download
memory/1052-7652-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/1052-7653-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/2540-7696-0x0000000005CD0000-0x0000000005CEA000-memory.dmp

Filesize
104KB

Download
memory/2540-7758-0x00000000353F0000-0x0000000035402000-memory.dmp

Filesize
72KB

Download
memory/2540-7678-0x0000000004F20000-0x0000000004F66000-memory.dmp

Filesize
280KB

Download
memory/2540-7688-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/2540-7691-0x0000000005B40000-0x0000000005B62000-memory.dmp

Filesize
136KB

Download
memory/2540-7712-0x0000000005D20000-0x0000000005D2A000-memory.dmp

Filesize
40KB

Download
memory/2540-7687-0x0000000005230000-0x00000000052E2000-memory.dmp

Filesize
712KB

Download
memory/2540-7708-0x0000000005D00000-0x0000000005D08000-memory.dmp

Filesize
32KB

Download
memory/2540-7682-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/2540-7704-0x0000000005D50000-0x0000000005D76000-memory.dmp

Filesize
152KB

Download
memory/2540-7674-0x0000000004AC0000-0x0000000004AE4000-memory.dmp

Filesize
144KB

Download
memory/2540-7700-0x0000000005D10000-0x0000000005D1A000-memory.dmp

Filesize
40KB

Download
memory/2540-7670-0x0000000000050000-0x00000000001BE000-memory.dmp

Filesize
1.4MB

Download
memory/2540-7906-0x0000000035B50000-0x0000000035B64000-memory.dmp

Filesize
80KB

Download
memory/2540-7695-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

Filesize
120KB

Download
memory/2540-7907-0x00000000355C0000-0x00000000355C8000-memory.dmp

Filesize
32KB

Download
memory/2540-7690-0x0000000005DB0000-0x00000000062DC000-memory.dmp

Filesize
5.2MB

Download
memory/2540-7905-0x0000000035B30000-0x0000000035B42000-memory.dmp

Filesize
72KB

Download
memory/2540-7719-0x0000000005D40000-0x0000000005D4A000-memory.dmp

Filesize
40KB

Download
memory/2540-7720-0x0000000006490000-0x00000000064F6000-memory.dmp

Filesize
408KB

Download
memory/2540-7904-0x0000000035580000-0x0000000035588000-memory.dmp

Filesize
32KB

Download
memory/2540-7954-0x00000000398A0000-0x00000000398A8000-memory.dmp

Filesize
32KB

Download
memory/2540-7689-0x00000000052F0000-0x0000000005644000-memory.dmp

Filesize
3.3MB

Download
memory/2540-7741-0x000000002FC90000-0x000000002FD22000-memory.dmp

Filesize
584KB

Download
memory/2540-7953-0x00000000397B0000-0x00000000397BA000-memory.dmp

Filesize
40KB

Download
memory/2540-7743-0x0000000005AA0000-0x0000000005AA8000-memory.dmp

Filesize
32KB

Download
memory/2540-7747-0x00000000339E0000-0x0000000033A18000-memory.dmp

Filesize
224KB

Download
memory/2540-7748-0x0000000033800000-0x000000003380E000-memory.dmp

Filesize
56KB

Download
memory/2540-7749-0x000000006D0B0000-0x000000006DB1B000-memory.dmp

Filesize
10.4MB

Download
memory/2540-7756-0x0000000034800000-0x0000000034810000-memory.dmp

Filesize
64KB

Download
memory/2540-7755-0x0000000034820000-0x0000000034846000-memory.dmp

Filesize
152KB

Download
memory/2540-7939-0x0000000030350000-0x0000000030360000-memory.dmp

Filesize
64KB

Download
memory/2540-7753-0x00000000347E0000-0x00000000347EA000-memory.dmp

Filesize
40KB

Download
memory/2540-7936-0x0000000030340000-0x0000000030348000-memory.dmp

Filesize
32KB

Download
memory/2540-7935-0x00000000358C0000-0x00000000358FA000-memory.dmp

Filesize
232KB

Download
memory/2540-7910-0x0000000039B10000-0x0000000039C96000-memory.dmp

Filesize
1.5MB

Download
memory/2540-7759-0x000000006D0B0000-0x000000006DB1B000-memory.dmp

Filesize
10.4MB

Download
memory/2540-7901-0x0000000034590000-0x00000000345A1000-memory.dmp

Filesize
68KB

Download
memory/2540-7894-0x0000000034560000-0x000000003456A000-memory.dmp

Filesize
40KB

Download
memory/2540-7893-0x0000000030390000-0x0000000030433000-memory.dmp

Filesize
652KB

Download
memory/2540-7892-0x0000000030370000-0x000000003038E000-memory.dmp

Filesize
120KB

Download
memory/2540-7934-0x0000000030320000-0x0000000030330000-memory.dmp

Filesize
64KB

Download
memory/2540-7922-0x0000000038450000-0x0000000038482000-memory.dmp

Filesize
200KB

Download
memory/2540-7920-0x0000000039040000-0x00000000390B6000-memory.dmp

Filesize
472KB

Download
memory/2540-7869-0x00000000369D0000-0x0000000036A1C000-memory.dmp

Filesize
304KB

Download
memory/2540-7919-0x0000000038EF0000-0x0000000038F22000-memory.dmp

Filesize
200KB

Download
memory/2540-7828-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2540-7833-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2540-7832-0x0000000034650000-0x0000000034666000-memory.dmp

Filesize
88KB

Download
memory/2540-7850-0x0000000036100000-0x0000000036728000-memory.dmp

Filesize
6.2MB

Download
memory/2540-7866-0x0000000035EC0000-0x0000000035F0A000-memory.dmp

Filesize
296KB

Download
memory/2540-7861-0x0000000035BD0000-0x0000000035C06000-memory.dmp

Filesize
216KB

Download
memory/2540-7860-0x0000000004FC0000-0x0000000004FDA000-memory.dmp

Filesize
104KB

Download
memory/2540-7862-0x0000000036DB0000-0x000000003742A000-memory.dmp

Filesize
6.5MB

Download
memory/2540-7863-0x0000000035DB0000-0x0000000035E46000-memory.dmp

Filesize
600KB

Download
memory/2540-7864-0x0000000037430000-0x00000000379D4000-memory.dmp

Filesize
5.6MB

Download
memory/2540-7865-0x0000000035E50000-0x0000000035E6E000-memory.dmp

Filesize
120KB

Download
memory/2540-7867-0x0000000035E90000-0x0000000035EAE000-memory.dmp

Filesize
120KB

Download
memory/2540-7868-0x0000000036730000-0x0000000036796000-memory.dmp

Filesize
408KB

Download
memory/2716-7636-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2716-7626-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2716-3708-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2716-9-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2716-6-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2920-7790-0x00000178A4C20000-0x00000178A5DCA000-memory.dmp

Filesize
17.7MB

Download
memory/2920-7764-0x00007FF9EBF70000-0x00007FF9EF34D000-memory.dmp

Filesize
51.9MB

Download
memory/2920-7763-0x00000178A4C20000-0x00000178A5DCA000-memory.dmp

Filesize
17.7MB

Download
memory/2920-7761-0x00007FF9EBF70000-0x00007FF9EF34D000-memory.dmp

Filesize
51.9MB

Download
memory/2920-7760-0x00007FF9EBF70000-0x00007FF9EF34D000-memory.dmp

Filesize
51.9MB

Download
memory/3048-7729-0x0000023986C00000-0x0000023987DAA000-memory.dmp

Filesize
17.7MB

Download
memory/3048-7664-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/3048-7667-0x0000023986C00000-0x0000023987DAA000-memory.dmp

Filesize
17.7MB

Download
memory/3048-7811-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/3048-7665-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/3048-7757-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/3048-7742-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/3764-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3764-7637-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3764-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3764-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4028-7644-0x00000178E9810000-0x00000178EA9BA000-memory.dmp

Filesize
17.7MB

Download
memory/4028-7643-0x00000178E9810000-0x00000178EA9BA000-memory.dmp

Filesize
17.7MB

Download
memory/4028-7651-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/4028-7632-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/4028-7631-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download
memory/4028-7642-0x00000178E6490000-0x00000178E8290000-memory.dmp

Filesize
30.0MB

Download
memory/4028-7633-0x00007FF9F6A20000-0x00007FF9F9DFD000-memory.dmp

Filesize
51.9MB

Download