f80bc12ffee2539f5827757dc8052decbbd795e604a58d8c83ae357cf5055151

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

letsvpn-latest.exe
Size

14.7MB
MD5

e039e221b48fc7c02517d127e158b89f
SHA1

79eed88061472ae590616556f31576ca13bfc7fb
SHA256

dc30e5dab15392627d30a506f6304030c581fc00716703fc31add10ff263d70b
SHA512

87231c025bb94771e89a639c9cb1528763f096059f8806227b8ab45a8f1ea5cd3d94fdc91cb20dd140b91a14904653517f7b6673a142a864a58a2726d14ae4b8
SSDEEP

393216:3Ie8M7oB2JNBXx9PMkglRy3mtFFu9zDVKZpw:3Rh8B2vB2c+kZD

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET21E.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET21E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1740	netsh.exe
4752	netsh.exe
4388	netsh.exe
4948	netsh.exe
1492	netsh.exe

Executes dropped EXE 5 IoCs

pid	Process
1172	tapinstall.exe
1528	tapinstall.exe
4444	tapinstall.exe
3884	LetsPRO.exe
1844	LetsPRO.exe

Loads dropped DLL 64 IoCs

pid	Process
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1236	letsvpn-latest.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" /silent"	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4868	cmd.exe
552	ARP.EXE

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\SETFF9F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\SETFF9F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\SETFF9E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\SETFF9E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\SETFF9D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\SETFF9D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ee19813-0c85-1541-84fe-38a90ca97d91}\tap0901.sys	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Win32.Registry.AccessControl.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Numerics.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Encoding.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Xml.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\View	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ru	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Newtonsoft.Json.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Drawing.Common.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Management.Automation.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ko	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\fr	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\x86\WebView2Loader.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\DeltaCompressionDotNet.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Sockets.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.WebHeaderCollection.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.WebSockets.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Serialization.Json.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Utils.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ComponentModel.Primitives.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ObjectModel.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.Timer.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\WebSocket4Net.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\ndp462-web.exe	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.Win32.Registry.AccessControl.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.FileSystem.DriveInfo.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.Queryable.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\it\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ComponentModel.TypeConverter.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.ServiceModel.Syndication.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Xml.XmlSerializer.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-arm\native\e_sqlite3.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Linq.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Reflection.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Threading.ThreadPool.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Windows.Interactivity.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\pt-BR	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.FileSystem.AccessControl.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.Serialization.Formatters.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\DeltaCompressionDotNet.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\SQLitePCLRaw.core.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.Compression.ZipFile.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.IO.Packaging.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.Requests.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\x86\WebView2Loader.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\Mono.Cecil.Mdb.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Mono.Cecil.Mdb.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.ProtectedData.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Reflection.Primitives.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Resources.ResourceManager.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Security.Cryptography.Algorithms.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.CompilerServices.VisualC.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\pt-BR\System.Web.Services.Description.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\zh-SG	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\ICSharpCode.AvalonEdit.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Diagnostics.Contracts.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Net.NetworkInformation.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\ToastNotifications.dll	letsvpn-latest.exe
File created	C:\Program Files (x86)\letsvpn\app-3.11.2\runtimes\win-x86\native\e_sqlite3.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\zh-MO\LetsPRO.resources.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\Microsoft.AppCenter.Crashes.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\SQLiteNetExtensionsAsync.dll	letsvpn-latest.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.11.2\System.Buffers.dll	letsvpn-latest.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
468	powershell.exe
4356	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LetsPRO.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LetsPRO.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4696	ipconfig.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\",1"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe\" \"%1\""	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol"	LetsPRO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Program Files (x86)\\letsvpn\\app-3.11.2\\LetsPRO.exe"	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command	LetsPRO.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	LetsPRO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
468	powershell.exe
468	powershell.exe
4356	powershell.exe
4356	powershell.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeAuditPrivilege	3348	svchost.exe
Token: SeSecurityPrivilege	3348	svchost.exe
Token: SeLoadDriverPrivilege	1528	tapinstall.exe
Token: SeRestorePrivilege	4104	DrvInst.exe
Token: SeBackupPrivilege	4104	DrvInst.exe
Token: SeLoadDriverPrivilege	4104	DrvInst.exe
Token: SeLoadDriverPrivilege	4104	DrvInst.exe
Token: SeLoadDriverPrivilege	4104	DrvInst.exe
Token: SeDebugPrivilege	1844	LetsPRO.exe
Token: SeIncreaseQuotaPrivilege	1844	LetsPRO.exe
Token: SeSecurityPrivilege	1844	LetsPRO.exe
Token: SeTakeOwnershipPrivilege	1844	LetsPRO.exe
Token: SeLoadDriverPrivilege	1844	LetsPRO.exe
Token: SeSystemProfilePrivilege	1844	LetsPRO.exe
Token: SeSystemtimePrivilege	1844	LetsPRO.exe
Token: SeProfSingleProcessPrivilege	1844	LetsPRO.exe
Token: SeIncBasePriorityPrivilege	1844	LetsPRO.exe
Token: SeCreatePagefilePrivilege	1844	LetsPRO.exe
Token: SeBackupPrivilege	1844	LetsPRO.exe
Token: SeRestorePrivilege	1844	LetsPRO.exe
Token: SeShutdownPrivilege	1844	LetsPRO.exe
Token: SeDebugPrivilege	1844	LetsPRO.exe
Token: SeSystemEnvironmentPrivilege	1844	LetsPRO.exe
Token: SeRemoteShutdownPrivilege	1844	LetsPRO.exe
Token: SeUndockPrivilege	1844	LetsPRO.exe
Token: SeManageVolumePrivilege	1844	LetsPRO.exe
Token: 33	1844	LetsPRO.exe
Token: 34	1844	LetsPRO.exe
Token: 35	1844	LetsPRO.exe
Token: 36	1844	LetsPRO.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe
1844	LetsPRO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 468	1236	letsvpn-latest.exe	85
PID 1236 wrote to memory of 468	1236	letsvpn-latest.exe	85
PID 1236 wrote to memory of 468	1236	letsvpn-latest.exe	85
PID 1236 wrote to memory of 4356	1236	letsvpn-latest.exe	101
PID 1236 wrote to memory of 4356	1236	letsvpn-latest.exe	101
PID 1236 wrote to memory of 4356	1236	letsvpn-latest.exe	101
PID 1236 wrote to memory of 1172	1236	letsvpn-latest.exe	104
PID 1236 wrote to memory of 1172	1236	letsvpn-latest.exe	104
PID 1236 wrote to memory of 1528	1236	letsvpn-latest.exe	106
PID 1236 wrote to memory of 1528	1236	letsvpn-latest.exe	106
PID 3348 wrote to memory of 1876	3348	svchost.exe	109
PID 3348 wrote to memory of 1876	3348	svchost.exe	109
PID 3348 wrote to memory of 4104	3348	svchost.exe	111
PID 3348 wrote to memory of 4104	3348	svchost.exe	111
PID 1236 wrote to memory of 4228	1236	letsvpn-latest.exe	115
PID 1236 wrote to memory of 4228	1236	letsvpn-latest.exe	115
PID 1236 wrote to memory of 4228	1236	letsvpn-latest.exe	115
PID 4228 wrote to memory of 1740	4228	cmd.exe	117
PID 4228 wrote to memory of 1740	4228	cmd.exe	117
PID 4228 wrote to memory of 1740	4228	cmd.exe	117
PID 1236 wrote to memory of 2976	1236	letsvpn-latest.exe	119
PID 1236 wrote to memory of 2976	1236	letsvpn-latest.exe	119
PID 1236 wrote to memory of 2976	1236	letsvpn-latest.exe	119
PID 2976 wrote to memory of 4752	2976	cmd.exe	121
PID 2976 wrote to memory of 4752	2976	cmd.exe	121
PID 2976 wrote to memory of 4752	2976	cmd.exe	121
PID 1236 wrote to memory of 2204	1236	letsvpn-latest.exe	122
PID 1236 wrote to memory of 2204	1236	letsvpn-latest.exe	122
PID 1236 wrote to memory of 2204	1236	letsvpn-latest.exe	122
PID 2204 wrote to memory of 4388	2204	cmd.exe	124
PID 2204 wrote to memory of 4388	2204	cmd.exe	124
PID 2204 wrote to memory of 4388	2204	cmd.exe	124
PID 1236 wrote to memory of 4292	1236	letsvpn-latest.exe	125
PID 1236 wrote to memory of 4292	1236	letsvpn-latest.exe	125
PID 1236 wrote to memory of 4292	1236	letsvpn-latest.exe	125
PID 4292 wrote to memory of 4948	4292	cmd.exe	127
PID 4292 wrote to memory of 4948	4292	cmd.exe	127
PID 4292 wrote to memory of 4948	4292	cmd.exe	127
PID 1236 wrote to memory of 4780	1236	letsvpn-latest.exe	128
PID 1236 wrote to memory of 4780	1236	letsvpn-latest.exe	128
PID 1236 wrote to memory of 4780	1236	letsvpn-latest.exe	128
PID 4780 wrote to memory of 1492	4780	cmd.exe	130
PID 4780 wrote to memory of 1492	4780	cmd.exe	130
PID 4780 wrote to memory of 1492	4780	cmd.exe	130
PID 1236 wrote to memory of 4444	1236	letsvpn-latest.exe	132
PID 1236 wrote to memory of 4444	1236	letsvpn-latest.exe	132
PID 1236 wrote to memory of 3884	1236	letsvpn-latest.exe	135
PID 1236 wrote to memory of 3884	1236	letsvpn-latest.exe	135
PID 1236 wrote to memory of 3884	1236	letsvpn-latest.exe	135
PID 3884 wrote to memory of 1844	3884	LetsPRO.exe	136
PID 3884 wrote to memory of 1844	3884	LetsPRO.exe	136
PID 3884 wrote to memory of 1844	3884	LetsPRO.exe	136
PID 1844 wrote to memory of 2136	1844	LetsPRO.exe	145
PID 1844 wrote to memory of 2136	1844	LetsPRO.exe	145
PID 1844 wrote to memory of 2136	1844	LetsPRO.exe	145
PID 2136 wrote to memory of 4696	2136	cmd.exe	147
PID 2136 wrote to memory of 4696	2136	cmd.exe	147
PID 2136 wrote to memory of 4696	2136	cmd.exe	147
PID 1844 wrote to memory of 4948	1844	LetsPRO.exe	151
PID 1844 wrote to memory of 4948	1844	LetsPRO.exe	151
PID 1844 wrote to memory of 4948	1844	LetsPRO.exe	151
PID 1844 wrote to memory of 1336	1844	LetsPRO.exe	155
PID 1844 wrote to memory of 1336	1844	LetsPRO.exe	155
PID 1844 wrote to memory of 1336	1844	LetsPRO.exe	155

C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe
"C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
  "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1172
- C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
  "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh advfirewall firewall Delete rule name=lets
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall Delete rule name=lets
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh advfirewall firewall Delete rule name=lets.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall Delete rule name=lets.exe
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall Delete rule name=LetsPRO.exe
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall Delete rule name=LetsPRO
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall Delete rule name=LetsVPN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1492
- C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
  "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4444
- C:\Program Files (x86)\letsvpn\LetsPRO.exe
  "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe
    "C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:4696
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C route print
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
    - - C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C arp -a
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:4868
    - - C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{acff2139-913c-454f-a4eb-54eda85f2254}\oemvista.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\letsvpn\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1876
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000138"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:4584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

Filesize
318B

MD5
b34636a4e04de02d079ba7325e7565f0

SHA1
f32c1211eac22409bb195415cb5a8063431f75cd

SHA256
a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df

SHA512
6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f

Download Submit
C:\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
bd8643e5db648810348aa0755e455b70

SHA1
119cb1fb3057d9759d0abb3dfdafc460456c1cc4

SHA256
bec6a116ea2224dd1532c6eaf20e4d61199240e55ccd0270199fbd22f2806477

SHA512
b8033d8989c66431e1771ffc6d2549a4d1e32b8612b7331e7a2931ddad3e31c8a7e1af8ef129883034b1fcf466b8ad0e1cab431cbf5c20c724f4eef53468f714

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\CommunityToolkit.Mvvm.dll

Filesize
109KB

MD5
143351606a574d84328219a7c18c7219

SHA1
8e47c7b530f40553f4a88daff11d78255cc77730

SHA256
cbe3b5714c52ad9ff8885d9893c9ed77ad54485a7c5bae3a75151c06d3ae7c4f

SHA512
b4698855a37639cac6dd4c400d11028bba1433f43e811e23881a72f7875048c77cf0dbd8bab8c0374ae7182fe41f37f69f5942d770fbbead86b12805b6647291

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe

Filesize
1.5MB

MD5
ca72f8ead2ae568acc481f685385fb60

SHA1
887a1d53c8b61c81a80592ff62cf9cdf56b29d18

SHA256
d287af28a137d9c015531eae28815d2b0d0a53879318f104ef34e5d86e2c4618

SHA512
8da648e1363d490d6a4ee5ec9e38aec86384f345ae5fd58150b2affce8c3c208e1a55598cfe820d00e9448910598ffde29d2824275ebaafaa7d33279898a2e4c

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsPRO.exe.config

Filesize
26KB

MD5
6126a1ab971d6bd4761f45791af90b1e

SHA1
36013821807f6fe08fe3b60a22ec519fd3e5579c

SHA256
9b7b7ec30f305b3cd9da40662f95ed57ae89ed8afd2b11d26503e387ff3c262d

SHA512
9f74f9f4ad593980337099717ba1e6b584530ee0e192b137297961d1550a70ae3a30fc1bf3e6e670fb817682354648d610f2a542b753a61f397ccaca20908510

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNDomainModel.dll

Filesize
20KB

MD5
85bee1626071af1b07e79fc7963731e4

SHA1
d804e63940798891928f3ba29be85cf06fbb9769

SHA256
222f84cd3111f90b7ce045119e63678ee180ab0a7c4f48cae25f097ee425debe

SHA512
6649931736a607dceea5ec8180e07c14c331761a7dd0fa5ab4187d3302c0a51262ccce40024d6540f3453d8bdd43785c5f8d45e9c5252e097b69b30fced78832

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\LetsVPNInfraStructure.dll

Filesize
23KB

MD5
f470c77c6226b6e4ef64448be9d88523

SHA1
4eea58baa9b37224c5e37f113aa6084c8ace46ac

SHA256
6e97c6e8bdb1fe484d0253175faf908f4e6800e4ab76c0281eca3dafcf8b8c24

SHA512
78613d526066c2d986e2984f3d71eeb8ee020d14d333132c35489e70b02e2124506871b28c7b0fc36d3676f478ce9e89fee0a693f6c5942f3399f7b4062e842e

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\Newtonsoft.Json.dll

Filesize
693KB

MD5
33a3c1df70cfab1888a4b20565515f81

SHA1
c1bfab7454dda45074a6e2b9ae4e9a2712830af6

SHA256
0c3c293507c487b76021baaded76defb0fecaf01c1327a448a9b756987595a9e

SHA512
76d3e0c34c5e793283910f93af3693355abdd374cf50234496cf3bbebf82a381113fbb4d53ad469f2f5a001b2cb96c761310a3825f8973ae61a4e8b59061cb28

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\System.Buffers.dll

Filesize
21KB

MD5
dbfc345d34c92fae11770079b9f4381b

SHA1
5d82cd91009f08b28696e6babfeda03958746d10

SHA256
397fd87e509ba39b4c5a5b191e3cc6d7867e0ee7729f04efe7f39cf4276dbeea

SHA512
15a852cc4320a6fa2b7bf25dcb1cacb97b4ccb64ff036bc68c17dc3ee08ac5f8229ac6bacd4dd77bf6c22aa89a6d882e7c121ee90940fea4571b30e74f37c9df

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\System.Memory.dll

Filesize
138KB

MD5
2b370cc14974e2c9955a2a3bdb5cb78a

SHA1
98878fb3998e492cf964a2e2af2ca187372ce5b5

SHA256
334ed3950898aa1f1a62a15bc411972246ab59498ecc9418f75695a2c1a5ba71

SHA512
f5c06d3f184baa1d7a6c9ebff9c5f5bbe87f61318710b0b19a81ce2fa26d3fabfd2af504d558c8b35a81e4c0846325260a2a425f2f68fde2b075addecadacb3d

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.CompilerServices.Unsafe.dll

Filesize
18KB

MD5
e0c5b0735a94152bc191a01b57c89db4

SHA1
15f546b9ea478fa2cee8c06e8d178a452056a7bc

SHA256
6ba160798e7d5ed98328c938c40ce1b8db1b3e603926e7c5220f5b22b243f8e1

SHA512
8b39993adea19d6697b929cebd529f1ae812379973e1e71c5459a5bc05608d071a377d4d88320c67b2424dfc681c97a01e6b361b6101d4720a49acd8e403c2c3

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\System.Runtime.InteropServices.RuntimeInformation.dll

Filesize
21KB

MD5
2a27f887342305cecd5ba36c8dbd4267

SHA1
2ca43487e37a67824b071d2870765f26c33ef7f2

SHA256
26a04bc90979886d477bb9777545e75a65c5f67443fdb5185c2fea249afc882b

SHA512
8d25ed902e2ca4191118b75cae0ea6338d0ce6aac3d10c08288e802704a115b15988a764899f3368aca0e7798933c5d4925721d82d7a7228372f435a36e1eafe

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\Utils.dll

Filesize
126KB

MD5
8af72dc9783c52125e229f8b79afba94

SHA1
71178bc7cfced6bc5dcb45ed666cdbe2c55182dd

SHA256
68ae722154cebfb3a3ca59b135e182a68fa0d6966a089008028f97022849bbc5

SHA512
dcada700522b78fe0006e84c6599a9857269512eb65a68c0475635f76d5805c43decad74232eb39dae83f987b3dabafe07129d44cce950c8dc9efd11901599e2

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\log4net.config

Filesize
1KB

MD5
7a7521bc7f838610905ce0286324ce39

SHA1
8ab90dd0c4b6edb79a6af2233340d0f59e9ac195

SHA256
2a322178557c88cc3c608101e8fc84bfd2f8fa9b81483a443bb3d09779de218d

SHA512
b25dfdce0977eaf7159df5eabe4b147a6c0adac39c84d1c7a9fe748446a10c8d2e20d04cf36221057aa210633df65f2a460821c8c79a2db16c912ec53a714d83

Download Submit
C:\Program Files (x86)\letsvpn\app-3.11.2\log4net.dll

Filesize
273KB

MD5
5b9a663d7584d8e605b0c39031ec485a

SHA1
b7d86ebe4e18cb6d2a48a1c97ac6f7e39c8a9b91

SHA256
e45afce6eff080d568e3e059498f5768585143336c600011273366905f4fc635

SHA512
b02bd950384cf3d656c4b8f590013392e3028c6183aa9321bd91b6fc1f5d41b03771313ca5e3305398a60642fa14fc5a98daf3e6decba586c80861bafcbf0c64

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f8cc0bdd6d32cefba14329efeb3c5e1d

SHA1
a8b07ad8c39ec023a0e38d795595ba6038a826a0

SHA256
8ecc7399fdff7e4d3ae4cc01bdf73bbaafa7f3be0f2edc4734ca8ce92d795645

SHA512
64607e44919636cf0312d0230b5cb00ec6ddea0047a02ae30654c687cd1089dd80c7512a320609a6c56e8b46c460e7eedbf11ab865d88f394903fa85d8de113d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yper0m4u.vvl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C8F.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C8F.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C8F.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C8F.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

Filesize
38KB

MD5
c10ccdec5d7af458e726a51bb3cdc732

SHA1
0553aab8c2106abb4120353360d747b0a2b4c94f

SHA256
589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253

SHA512
7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
10KB

MD5
f73ac62e8df97faf3fc8d83e7f71bf3f

SHA1
619a6e8f7a9803a4c71f73060649903606beaf4e

SHA256
cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b

SHA512
f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

Download Submit
memory/468-25-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/468-11-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/468-10-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/468-12-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/468-9-0x0000000002680000-0x00000000026B6000-memory.dmp

Filesize
216KB

Download
memory/468-8-0x0000000073BBE000-0x0000000073BBF000-memory.dmp

Filesize
4KB

Download
memory/468-13-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/468-14-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/468-15-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/468-26-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

Filesize
304KB

Download
memory/468-29-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/1844-711-0x00000000328B0000-0x00000000328C4000-memory.dmp

Filesize
80KB

Download
memory/1844-694-0x00000000305A0000-0x00000000305A8000-memory.dmp

Filesize
32KB

Download
memory/1844-796-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-795-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-794-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-793-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-792-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-637-0x0000000000610000-0x0000000000794000-memory.dmp

Filesize
1.5MB

Download
memory/1844-641-0x00000000050C0000-0x00000000050E4000-memory.dmp

Filesize
144KB

Download
memory/1844-791-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-789-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-649-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/1844-788-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-645-0x0000000005540000-0x0000000005586000-memory.dmp

Filesize
280KB

Download
memory/1844-787-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-783-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-654-0x0000000005790000-0x0000000005842000-memory.dmp

Filesize
712KB

Download
memory/1844-655-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-656-0x0000000006370000-0x000000000689C000-memory.dmp

Filesize
5.2MB

Download
memory/1844-657-0x0000000006100000-0x0000000006122000-memory.dmp

Filesize
136KB

Download
memory/1844-661-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/1844-770-0x0000000038080000-0x00000000380B2000-memory.dmp

Filesize
200KB

Download
memory/1844-662-0x00000000062B0000-0x00000000062CA000-memory.dmp

Filesize
104KB

Download
memory/1844-666-0x00000000062E0000-0x00000000062EA000-memory.dmp

Filesize
40KB

Download
memory/1844-763-0x0000000036F10000-0x0000000036F21000-memory.dmp

Filesize
68KB

Download
memory/1844-670-0x0000000006320000-0x0000000006346000-memory.dmp

Filesize
152KB

Download
memory/1844-678-0x00000000062F0000-0x00000000062FA000-memory.dmp

Filesize
40KB

Download
memory/1844-762-0x0000000036E10000-0x0000000036EB3000-memory.dmp

Filesize
652KB

Download
memory/1844-674-0x00000000062D0000-0x00000000062D8000-memory.dmp

Filesize
32KB

Download
memory/1844-752-0x0000000036AE0000-0x0000000036B56000-memory.dmp

Filesize
472KB

Download
memory/1844-751-0x00000000361A0000-0x00000000361EC000-memory.dmp

Filesize
304KB

Download
memory/1844-750-0x0000000035C70000-0x0000000035CBA000-memory.dmp

Filesize
296KB

Download
memory/1844-682-0x0000000006300000-0x000000000630A000-memory.dmp

Filesize
40KB

Download
memory/1844-683-0x000000002F9C0000-0x000000002F9CA000-memory.dmp

Filesize
40KB

Download
memory/1844-684-0x000000002FE60000-0x000000002FE86000-memory.dmp

Filesize
152KB

Download
memory/1844-685-0x000000002F9E0000-0x000000002F9F0000-memory.dmp

Filesize
64KB

Download
memory/1844-688-0x0000000030C60000-0x0000000030CF2000-memory.dmp

Filesize
584KB

Download
memory/1844-730-0x0000000033910000-0x0000000033920000-memory.dmp

Filesize
64KB

Download
memory/1844-698-0x0000000032930000-0x0000000032968000-memory.dmp

Filesize
224KB

Download
memory/1844-699-0x0000000030C40000-0x0000000030C4E000-memory.dmp

Filesize
56KB

Download
memory/1844-706-0x0000000033F70000-0x0000000034514000-memory.dmp

Filesize
5.6MB

Download
memory/1844-709-0x0000000032860000-0x0000000032868000-memory.dmp

Filesize
32KB

Download
memory/1844-710-0x0000000032890000-0x00000000328A2000-memory.dmp

Filesize
72KB

Download
memory/1844-712-0x00000000328D0000-0x00000000328D8000-memory.dmp

Filesize
32KB

Download
memory/1844-729-0x0000000033C10000-0x0000000033C26000-memory.dmp

Filesize
88KB

Download
memory/1844-713-0x0000000033B80000-0x0000000033B92000-memory.dmp

Filesize
72KB

Download
memory/1844-714-0x0000000033920000-0x000000003393E000-memory.dmp

Filesize
120KB

Download
memory/1844-717-0x0000000030F10000-0x0000000030F20000-memory.dmp

Filesize
64KB

Download
memory/1844-718-0x0000000030F80000-0x0000000030FBA000-memory.dmp

Filesize
232KB

Download
memory/1844-719-0x0000000030F40000-0x0000000030F48000-memory.dmp

Filesize
32KB

Download
memory/1844-721-0x0000000030F50000-0x0000000030F60000-memory.dmp

Filesize
64KB

Download
memory/1844-720-0x000000006D0C0000-0x000000006DB28000-memory.dmp

Filesize
10.4MB

Download
memory/1844-722-0x0000000030FC0000-0x0000000030FDE000-memory.dmp

Filesize
120KB

Download
memory/1844-723-0x0000000035AE0000-0x0000000035C66000-memory.dmp

Filesize
1.5MB

Download
memory/1844-724-0x0000000030D80000-0x0000000030D90000-memory.dmp

Filesize
64KB

Download
memory/4356-507-0x00000000072D0000-0x0000000007373000-memory.dmp

Filesize
652KB

Download
memory/4356-509-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/4356-481-0x0000000073BB0000-0x0000000073C3D000-memory.dmp

Filesize
564KB

Download
memory/4356-491-0x0000000005A90000-0x0000000005DE4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-493-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/4356-495-0x00000000065E0000-0x0000000006612000-memory.dmp

Filesize
200KB

Download
memory/4356-496-0x000000006F8B0000-0x000000006F8FC000-memory.dmp

Filesize
304KB

Download
memory/4356-506-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/4356-518-0x0000000073BB0000-0x0000000073C3D000-memory.dmp

Filesize
564KB

Download
memory/4356-480-0x0000000073BB0000-0x0000000073C3D000-memory.dmp

Filesize
564KB

Download
memory/4356-508-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/4356-510-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/4356-511-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/4356-512-0x00000000075A0000-0x00000000075B1000-memory.dmp

Filesize
68KB

Download
memory/4356-513-0x00000000075D0000-0x00000000075DE000-memory.dmp

Filesize
56KB

Download
memory/4356-514-0x00000000075E0000-0x00000000075F4000-memory.dmp

Filesize
80KB

Download
memory/4356-515-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/4356-516-0x0000000007620000-0x0000000007628000-memory.dmp

Filesize
32KB

Download