Edit tour

Windows Analysis Report
lets-test.msi

Overview

General Information

Sample name:	lets-test.msi
Analysis ID:	1476283
MD5:	b0428243a495bc1691d4c4f33b54e0eb
SHA1:	e7b0c8d355fc3cc1158b96b3a0e3420fac2b3f06
SHA256:	5683928d134cc328a0ae1460fb0c58ddf97d5bc854758c97a5c4d3c1869b842d
Tags:	exemsi
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Bypasses PowerShell execution policy

Contains functionality to infect the boot sector

Creates multiple autostart registry keys

Executes Lua script

Found API chain indicative of debugger detection

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the DNS server

Modifies the windows firewall

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample is not signed and drops a device driver

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Yara detected Generic Downloader

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Tap Installer Execution

Sigma detected: Uncommon Svchost Parent Process

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7520 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\lets-test.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7556 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7660 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A5D05F387DF25EBE7AE8DA514E37EF3C MD5: 9D09DC1EDA745A5F87553048E57620CF)

LetsPRO.exe (PID: 7868 cmdline: "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe" MD5: EA9E2F517B1CC2DBE7F78302DD7FB593)

LetsPRO.exe (PID: 7896 cmdline: "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe" MD5: 2D822C8477099A4F8D149F19836312D1)

haxGhXjmBFM.exe (PID: 7876 cmdline: "C:\Program Files (x86)\haxGhXjmBFM.exe" MD5: 9C44BE4CEAC0C983A812FD8459511FD0)

powershell.exe (PID: 7968 cmdline: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 9092 cmdline: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 9100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tapinstall.exe (PID: 1704 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)

conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tapinstall.exe (PID: 8836 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)

conhost.exe (PID: 8892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2208 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6012 cmdline: netsh advfirewall firewall Delete rule name=lets MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 8632 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 8504 cmdline: netsh advfirewall firewall Delete rule name=lets.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 3980 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 2132 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 8100 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7208 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

tapinstall.exe (PID: 8356 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LetsPRO.exe (PID: 8452 cmdline: "C:\Program Files (x86)\letsvpn\LetsPRO.exe" MD5: EA9E2F517B1CC2DBE7F78302DD7FB593)

LetsPRO.exe (PID: 8464 cmdline: "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe" MD5: 38973DBBFAD9619FDE39FAB919EB9A04)

cmd.exe (PID: 8604 cmdline: "cmd.exe" /C ipconfig /all MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 8504 cmdline: ipconfig /all MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cmd.exe (PID: 8004 cmdline: "cmd.exe" /C route print MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 8836 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

LetsPRO.exe (PID: 7884 cmdline: "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe" MD5: EA9E2F517B1CC2DBE7F78302DD7FB593)

LetsPRO.exe (PID: 7916 cmdline: "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe" MD5: 2D822C8477099A4F8D149F19836312D1)

LetsPRO.exe (PID: 7752 cmdline: "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe" MD5: EA9E2F517B1CC2DBE7F78302DD7FB593)

LetsPRO.exe (PID: 7784 cmdline: "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe" MD5: 2D822C8477099A4F8D149F19836312D1)

msedge.exe (PID: 7772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7700 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1900,i,16840921317244570798,13407743960639991352,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

wegame.exe (PID: 7800 cmdline: "C:\Program Files (x86)\Common Files\wegame.exe" MD5: 063AF51C19F29BCDFD26C1BEBDC9ACE6)

svchost.exe (PID: 8164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msedge.exe (PID: 5672 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7316 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8072 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4204 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 8712 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 8732 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

svchost.exe (PID: 8904 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 8944 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\letsvpn\driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 3428 cmdline: DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000158" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

svchost.exe (PID: 1104 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msedge.exe (PID: 8212 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5844 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2084,i,12025234242823261480,2093702470493136090,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

svchost.exe (PID: 2672 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WmiApSrv.exe (PID: 5252 cmdline: C:\Windows\system32\wbem\WmiApSrv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\letsvpn\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\letsvpn\app-3.8.0\libwin.dll	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: LetsPRO.exe PID: 8464	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
55.2.LetsPRO.exe.68030000.24.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\haxGhXjmBFM.exe", ParentImage: C:\Program Files (x86)\haxGhXjmBFM.exe, ParentProcessId: 7876, ParentProcessName: haxGhXjmBFM.exe, ProcessCommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", ProcessId: 7968, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe" /silent, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe, ProcessId: 8464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe, ProcessId: 8464, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0u45maxg.4nm.ps1

Sigma detected: Tap Installer Execution

Source: Process started

Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: Data: Command: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, NewProcessName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, OriginalFileName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, ParentCommandLine: "C:\Program Files (x86)\haxGhXjmBFM.exe", ParentImage: C:\Program Files (x86)\haxGhXjmBFM.exe, ParentProcessId: 7876, ParentProcessName: haxGhXjmBFM.exe, ProcessCommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, ProcessId: 1704, ProcessName: tapinstall.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Program Files (x86)\haxGhXjmBFM.exe", ParentImage: C:\Program Files (x86)\haxGhXjmBFM.exe, ParentProcessId: 7876, ParentProcessName: haxGhXjmBFM.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc, ProcessId: 8836, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\haxGhXjmBFM.exe", ParentImage: C:\Program Files (x86)\haxGhXjmBFM.exe, ParentProcessId: 7876, ParentProcessName: haxGhXjmBFM.exe, ProcessCommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", ProcessId: 7968, ProcessName: powershell.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd.exe" /C ipconfig /all, CommandLine: "cmd.exe" /C ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe" , ParentImage: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe, ParentProcessId: 8464, ParentProcessName: LetsPRO.exe, ProcessCommandLine: "cmd.exe" /C ipconfig /all, ProcessId: 8604, ProcessName: cmd.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8164, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPROCHS.dll

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5B6164 __EH_prolog3_GS,CryptAcquireContextW,GetLastError,		6_2_6C5B6164
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C7FE1F0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		6_2_6C7FE1F0

Source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_139cfb2e-9

Source:	Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: LetsPRO.exe, 00000037.00000002.4143079506.00000000032F2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\git\wegame_paas\beacon_report_cpp\beacon_sdk\Release\beacon_sdk.pdb source: wegame.exe, 00000006.00000002.4143954280.000000006CECB000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: LetsPRO.exe, 00000037.00000002.4168244500.00000000067E2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\userAccounts.pdb source: lets-test.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: lets-test.msi
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\bin\Release\wegame.pdbmm1GCTL source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: lp)rlkeyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: LetsPRO.exe, 00000037.00000002.4201314539.0000000037A82000.00000002.00000001.01000000.00000033.sdmp
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: tapinstall.exe, 0000001E.00000002.1912221093.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.1910661790.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000000.1913117233.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000002.1953276492.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000002.1972779400.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000000.1970876937.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4178693283.00000000300B2000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: LetsPRO.exe, 00000037.00000002.4214834576.00000000387E2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb@ source: lets-test.msi
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034AB5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: LetsPRO.exe, 00000037.00000002.4187448131.00000000317A2000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\netfx\System.Net.Http.pdb source: LetsPRO.exe, 00000037.00000002.4224367182.00000000392B2000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\userAccounts.pdbQ source: lets-test.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: lets-test.msi
Source:	Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: haxGhXjmBFM.exe, 00000008.00000003.2031982869.0000000000751000.00000004.00000020.00020000.00000000.sdmp, haxGhXjmBFM.exe, 00000008.00000002.2033229713.0000000000751000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4187448131.00000000317A2000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: LetsPRO.exe, 00000037.00000002.4178819054.00000000300C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: lets-test.msi
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: LetsPRO.exe, 00000037.00000002.4162624461.00000000059D2000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdbwD source: LetsPRO.exe, 00000037.00000002.4162624461.00000000059D2000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: e:\newclientmail\trunk\code\errorreport\release\ErrorReport.pdb source: LetsPRO.exe, 00000005.00000000.1716952895.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 00000005.00000002.1723561398.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000A.00000000.1717732510.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000A.00000002.1718436135.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000B.00000000.1717785516.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000B.00000002.1718664733.0000000000436000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LetsPRO.exe, 00000037.00000002.4168359295.00000000067F2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: W.PDb source: haxGhXjmBFM.exe.1.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: LetsPRO.exe, 00000037.00000002.4178819054.00000000300C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: LetsPRO.exe, 00000037.00000002.4214834576.00000000387E2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: drvinst.exe, 00000023.00000003.1927968266.000002092AA5C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000024.00000003.1942016589.0000014379274000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb]KwK iK_CorDllMainmscoree.dll source: LetsPRO.exe, 00000037.00000002.4168992457.0000000006FB2000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: LetsPRO.exe, 00000037.00000002.4214552147.00000000387C2000.00000002.00000001.01000000.00000037.sdmp
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: LetsPRO.exe, 00000037.00000002.4213951978.00000000385D2000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LetsPRO.exe, 00000037.00000002.4168580863.0000000006E72000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\lib\Release\common.pdb source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp, wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 00000003.00000000.1714533986.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000003.00000002.1724304213.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000007.00000000.1717340757.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000007.00000002.1718433574.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000009.00000002.1718643469.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000009.00000000.1717405600.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000036.00000000.2029609057.00000000004AD000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000036.00000002.2041845468.00000000004AD000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp, wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdbm source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\bin\Release\wegame.pdb source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: LetsPRO.exe, 00000037.00000002.4168992457.0000000006FB2000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: LetsPRO.exe, 00000037.00000002.4168104099.0000000006772000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: LetsPRO.exe, 00000037.00000002.4196069676.00000000371F2000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LetsPRO.exe, 00000037.00000002.4196250023.0000000037212000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: LetsPRO.exe, 00000037.00000002.4168104099.0000000006772000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4196250023.0000000037212000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\lib\Release\adapt_for_imports.pdb source: wegame.exe, 00000006.00000002.4143381615.000000006C98C000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: LetsPRO.exe, 00000037.00000002.4178693283.00000000300B2000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: tapinstall.exe, 0000001E.00000002.1912221093.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.1910661790.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000000.1913117233.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000002.1953276492.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000002.1972779400.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000000.1970876937.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: LetsPRO.exe, 00000037.00000002.4214552147.00000000387C2000.00000002.00000001.01000000.00000037.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4195831415.0000000035422000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4213951978.00000000385D2000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: LetsPRO.exe, 00000037.00000002.4168244500.00000000067E2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: keyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LetsPRO.exe, 00000037.00000002.4196069676.00000000371F2000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\git\wegame_client\dependences\Lua\include\lua51.pdb source: wegame.exe, 00000006.00000002.4141048756.000000006C57A000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034AB5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: LetsPRO.exe, 00000037.00000002.4195831415.0000000035422000.00000002.00000001.01000000.0000002E.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC4318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,	3_2_00BC4318
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00404F4D __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	5_2_00404F4D
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0045CBDF __EH_prolog3_GS,memset,GetModuleFileNameW,?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,memset,FindFirstFileW,memset,wcsncpy_s,wcsncat_s,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindClose,	6_2_0045CBDF
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004570C9 __EH_prolog3_GS,memset,memset,FindFirstFileW,memset,wcscmp,wcscmp,memset,DeleteFileW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,	6_2_004570C9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00457307 __EH_prolog3_GS,memset,GetEnvironmentVariableW,?get_log_instance@base@@YAPAVILogger@1@XZ,memset,GetModuleFileNameW,wcsrchr,SimpleUString::operator=,memset,GetFileAttributesW,memset,memset,FindFirstFileW,memset,wcscmp,SimpleUString::operator=,wcscmp,wcscmp,FindNextFileW,FindClose,?get_log_instance@base@@YAPAVILogger@1@XZ,	6_2_00457307
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0040F710 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memset,FindFirstFileW,wcscpy_s,_invalid_parameter_noinfo_noreturn,	6_2_0040F710
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_004059CC
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_004065FD FindFirstFileW,FindClose,	8_2_004065FD
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_00402868 FindFirstFileW,	8_2_00402868
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00404F4D __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	10_2_00404F4D

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\letsvpn\Update.exe, type: DROPPED

Source: global traffic	UDP traffic: 192.168.2.4:59728 -> 103.7.30.61:8000
Source: global traffic	UDP traffic: 192.168.2.4:59474 -> 103.7.30.83:8000

Source: global traffic

TCP traffic: 192.168.2.4:49765 -> 8.8.8.8:53

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: tqos.wegamex.com.hkAccept: /Content-Length: 689Content-Type: multipart/form-data; boundary=------------------------15ced2856b975cac
Source: global traffic	HTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: NmRhMTFjMTgtMjY0OC00OQ==Origin: ws://ws-ap1.pusher.com

Source: Joe Sandbox View	IP Address: 183.60.146.66 183.60.146.66
Source: Joe Sandbox View	IP Address: 152.195.19.97 152.195.19.97
Source: Joe Sandbox View	IP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox View	IP Address: 103.235.46.96 103.235.46.96

Source: global traffic	HTTP traffic detected: GET /crx/blobs/Af2yII2B0rZ8cHZ0zhAQMpE5nnHa-luPaKnkV2HzRYHJSUKQp47BzdeiX0Igp7uG9ixLd9f-dn93AlqvBwPDqfl_F5H1vnj2K-nXA2wr_RToPGmP3S9lmWq3G-LCKHiOc8oAxlKa5TcGVwrsFgTq79yNDjEULjiD5Cwy/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_79_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /chromewebstore/v1.1/items/verify HTTP/1.1Host: www.googleapis.comConnection: keep-aliveContent-Length: 119Content-Type: application/jsonSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1721941035&P2=404&P3=2&P4=M7A1OzH62S9Lk3UHKN5cCSEzeUZ01KVvQkb3YBsYyAsZEb3jWqQ4rtBDc42rk4GP3zd%2b0DfERo9Q01hcvKyUew%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: 1jOZtoZB8Px9C8siZ9XR9iSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.170
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.19.97
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155

Source: global traffic	HTTP traffic detected: GET /crx/blobs/Af2yII2B0rZ8cHZ0zhAQMpE5nnHa-luPaKnkV2HzRYHJSUKQp47BzdeiX0Igp7uG9ixLd9f-dn93AlqvBwPDqfl_F5H1vnj2K-nXA2wr_RToPGmP3S9lmWq3G-LCKHiOc8oAxlKa5TcGVwrsFgTq79yNDjEULjiD5Cwy/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_79_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1721941035&P2=404&P3=2&P4=M7A1OzH62S9Lk3UHKN5cCSEzeUZ01KVvQkb3YBsYyAsZEb3jWqQ4rtBDc42rk4GP3zd%2b0DfERo9Q01hcvKyUew%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: 1jOZtoZB8Px9C8siZ9XR9iSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: NmRhMTFjMTgtMjY0OC00OQ==Origin: ws://ws-ap1.pusher.com

Source: LetsPRO.exe, 00000037.00000002.4268427872.000000006852B000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: os/exec.Command(]. new data: GID[^/app([0-9]+)/app^created by (.+)$bad TinySizeClassbad key algorithmbad local addressboundBindToDevicecannot find id %sclose dns channelconnectingAddresscorkOptionEnableddecryption failedduplicate addresseffectiveNetProtoentersyscallblockexec apiAgent GIDexec apiAgent RIDexec deleteRegDirexec format errorexec nicIndexToIPexec phyNIC Indexexec phyNIC SetIPexec tapIFCE Nameexec: killing Cmdexec: not startedfractional secondframe_ping_lengthg already scannedget up-going ACK glEdgeFlagPointerglPopClientAttribglTexCoordPointergp.waiting != nilhandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDip2if func returnipv6-only networkisConnectNotifiedjoyReleaseCapturekey align too biglocked m0 woke upmark - bad statusmarkBits overflowmciGetCreatorTaskmessage too largemidiInGetDevCapsWmidiOutGetNumDevsmidiStreamRestartmissing closing )missing closing ]missing extensionmixerGetLineInfoWmultipartmaxpartsneed re-resolve: nextId too large:nil resource bodyno available Datano data availablenoChecksumEnablednotetsleepg on g0old node version:operation abortedparameter problempermission deniedpkg/buffer.Bufferpkg/sleep.Sleeperpkg/tcpip.Addresspppoe instanceId:protect fd failedreceiveBufferSizereceiveTOSEnabledreceiveTTLEnabledreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of remoteAddr is nilruntime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)set sdk loglevel:set tap static ipstack: frame={sp:start map checkerstart refresh infswept cached spansync.RWMutex.Lockthread exhaustiontimeGetSystemTimetransfer-encodingtruncated headersudp routines num:unknown caller pcunknown hostname:unknown type kindunrecognized nameupdate dns dialeruse gid:%s rid:%swait for GC cyclewaveInGetDevCapsWwaveInGetPositionwaveOutGetNumDevswebsocket: close wglGetPixelFormatwglGetProcAddresswglSetPixelFormatwine_get_versionwrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)
Source: LetsPRO.exe, 00000037.00000002.4268427872.000000006852B000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: wrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: ied-tqos.wegamex.com.hk
Source: global traffic	DNS traffic detected: DNS query: tqos.wegamex.com.hk
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: crt.sectigo.com
Source: global traffic	DNS traffic detected: DNS query: ws-ap1.pusher.com
Source: global traffic	DNS traffic detected: DNS query: www.baidu.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.yandex.com
Source: global traffic	DNS traffic detected: DNS query: nal.fqoqehwib.com
Source: global traffic	DNS traffic detected: DNS query: d1dmgcawtbm6l9.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: chr.alipayassets.com
Source: global traffic	DNS traffic detected: DNS query: nit.crash1ytics.com
Source: global traffic	DNS traffic detected: DNS query: in.appcenter.ms

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4165069289.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRoo
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: LetsPRO.exe, 00000037.00000002.4183661580.0000000030CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000018.00000002.1893014368.0000000002F54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1905703178.00000000073F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicC4t
Source: LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCo
Source: LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: svchost.exe, 0000000E.00000002.4142093238.00000177F8E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/D
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4165069289.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: LetsPRO.exe, 00000037.00000002.4180752320.00000000309D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: LetsPRO.exe, 00000037.00000002.4165069289.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enw
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: LetsPRO.exe, 00000037.00000002.4163447409.0000000005D52000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: haxGhXjmBFM.exe, 00000008.00000002.2032480091.000000000040A000.00000004.00000001.01000000.00000006.sdmp, haxGhXjmBFM.exe, 00000008.00000003.1973465998.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, haxGhXjmBFM.exe, 00000008.00000000.1717959233.000000000040A000.00000008.00000001.01000000.00000006.sdmp, haxGhXjmBFM.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000018.00000002.1898978574.0000000005C86000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4165069289.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectig
Source: LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003371000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://schemas.fontawesome.io/icons/
Source: powershell.exe, 00000018.00000002.1893721239.0000000004D66000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.1728755337.000000000476C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1893721239.0000000004C11000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4143541172.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000018.00000002.1893721239.0000000004D66000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: wegame.exe, wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a
Source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a-s-f
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://wpfanimatedgif.codeplex.com
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: LetsPRO.exe, 00000037.00000002.4201314539.0000000037A82000.00000002.00000001.01000000.00000033.sdmp, LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.hardcodet.net/taskbar
Source: LetsPRO.exe, 00000037.00000002.4194258639.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wegame.exe, 00000006.00000002.4143954280.000000006CECB000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.5
Source: LetsPRO.exe, 00000037.00000002.4172640122.000000000FC92000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://0.0.0.0%2F0
Source: LetsPRO.exe, 00000037.00000002.4173822346.000000000FD00000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4177372856.000000000FF72000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4177807037.000000000FFB2000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4176380888.000000000FEAA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://USUS2.Session-IdCERTIFICATE
Source: powershell.exe, 0000000C.00000002.1728755337.00000000047A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1728755337.0000000004799000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1893721239.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://aka.ms/toolkit/dotnet
Source: LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wegame.exe, wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp, wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: LetsPRO.exe, 00000037.00000002.4171712622.000000000FC22000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-api
Source: LetsPRO.exe, 00000037.00000002.4171712622.000000000FC22000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo
Source: LetsPRO.exe, 00000037.00000002.4268427872.000000006852B000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/3401886-special-settings-for-smartby
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262720-special-settings-for-host-ne
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262786-special-settings-for-express
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262801-special-settings-for-killer-
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windo
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8D23000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D87000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D74000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://github.com/CommunityToolkit/dotnet
Source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: LetsPRO.exe, 00000037.00000002.4168580863.0000000006E72000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: LetsPRO.exe, 00000037.00000002.4168580863.0000000006E72000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: LetsPRO.exe, 00000037.00000002.4168359295.00000000067F2000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: LetsPRO.exe, 00000037.00000002.4168398162.00000000067F6000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://in.appcenter.ms
Source: LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms/logs?api-version=1.0.0
Source: haxGhXjmBFM.exe, 00000008.00000002.2033229713.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/-N
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926062-recover-my-letsvpn-account
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3710603-about-logging-in-out-anomalies
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003371000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1628560-help-documents
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/en/collections/Killer
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://letsvpn.world/privacy.html
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://letsvpn.world/registerterm.html
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://letsvpn.world/terms.html
Source: LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com
Source: LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com-
Source: LetsPRO.exe, 00000037.00000002.4175179086.000000000FD84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app33/device
Source: LetsPRO.exe, 00000037.00000002.4172640122.000000000FC86000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app33/devicechecking
Source: LetsPRO.exe, 00000037.00000002.4177372856.000000000FF72000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app33/devicehttps://nit.crash1ytics.com/app33/device
Source: LetsPRO.exe, 00000037.00000002.4172640122.000000000FC86000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app33/devicehttps://nit.crash1ytics.com/app33/deviceHu
Source: LetsPRO.exe, 00000037.00000002.4176710420.000000000FF1B000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comhttpCode=-2
Source: powershell.exe, 00000018.00000002.1898978574.0000000005C86000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000E.00000003.1727303694.00000177F8CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://pngimg.com/uploads/light/light_PNG14440.png
Source: LetsPRO.exe, 00000037.00000002.4177372856.000000000FF72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://postPost223.61.70.52
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://rdrt.jkjtdfbs.com/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-
Source: LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://widget.intercom.io/widget/
Source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Code function: 8_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_00405461

Source: LetsPRO.exe, 00000037.00000002.4268427872.000000006852B000.00000002.00000001.01000000.00000024.sdmp

Binary or memory string: is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.0-------------- 0601021504Z0700114.114.114.114126.255.255.254169.254.255.255191.255.255.254223.255.255.254255.255.255.248476837158203125: cannot parse : no frame (sp=; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAccount-ExpiredAccount-TimeoutAddDllDirectoryAddMandatoryAceAreFileApisANSIBP_BUFFERFORMATBackupEventLogWCLSIDFromProgIDCLSIDFromStringCOLORADJUSTMENTCOMPOSITIONFORMCRYPTOAPI_BLOB_CRYPT_ATTRIBUTECRYPT_ATTR_BLOBCRYPT_DATA_BLOBCRYPT_HASH_BLOBCallWindowProcWClientAuthType(CoInitializeWOWColorAdjustLumaCompareFileTimeControl_RunDLLWCreateDataCacheCreateErrorInfoCreateHardLinkWCreateMailslotWCreateMetaFileWCreatePopupMenuCreateToolbarExCreateWindowExWCryptCreateHashCryptDestroyKeyCryptGetUserKeyCryptMemReallocCryptMsgControlDAD_DragEnterExDESKTOPENUMPROCDdeGetLastErrorDdeQueryStringWDdeUnaccessDataDdeUninitializeDefRawInputProcDefSubclassProcDeleteIPAddressDestinationAddrDeviceIoControlDialogBoxParamWDlgDirSelectExWDnsPolicyConfigDownload-FailedDragAcceptFilesDrawMenuBarTempDrawStatusTextWDrawThemeTextExDuplicateHandleECDSAP256SHA256ECDSAP384SHA384ENG_TIME_FIELDSENUMLOGFONTEXDVENUMRESLANGPROCEXPLICIT_ACCESSEmptyWorkingSetEnableScrollBarEngCreateBitmapEngEraseSurfaceEngFindResourceEngGradientFillEnumEnhMetaFileExcludeClipRectExtCreateRegionFailed to find Failed to load FindExecutableWFindNextStreamWFindNextVolumeWFindResourceExWFindVolumeCloseFlush dns cacheFlushIpNetTableFlushViewOfFileFreeAddrInfoExWGENERIC_MAPPINGGateway TimeoutGdiGradientFillGdiIsMetaFileDCGetActiveObjectGetActiveWindowGetAdapterIndexGetAdaptersInfoGetArcDirectionGetCharWidth32WGetClassInfoExWGetComboBoxInfoGetCommTimeoutsGetCommandLineWGetDCBrushColorGetDateFormatExGetDlgItemTextWGetEnhMetaFileWGetGraphicsModeGetGuiResourcesGetIpStatisticsGetKeyNameTextWGetKeyboardTypeGetLocaleInfoExGetMailslotInfoGetMenuItemRectGetMonitorInfoWGetNearestColorGetPolyFillModeGetProcessHeapsGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTapePositionGetTextMetricsWGetThemeIntListGetThemeMarginsGetThemeSysBoolGetThemeSysFontGetThemeSysSizeGetThreadLocaleGetTimeFormatExGetTitleBarInfoGetTrusteeFormWGetTrusteeNameWGetTrusteeTypeWGetWindowRgnBoxGlobalFindAtomWHanifi_RohingyaHasIPPacketInfoHost-Block-ListHost-Local-ListICreateTypeLib2IMEMENUITEMINFOIO_STATUS_BLOCKIP-Country-ListIP-Queue-LengthIP_ADAPTER_INFOIPersistStorageIShellItemArrayI_CryptAllocTlsI_RpcFreeBufferIcmp6CreateFileIcmpCloseHandleIcmpSendEcho2ExIdempotency-KeyImageList_MergeImageList_WriteImmIsUIMessageWImpersonateSelfInSendMessageExInitMUILanguageInsertMenuItemWIsBadStringPtrWIsHungAppWindowIsValidCodePageIsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2K32GetWsChangesKillSystemTimerLPCONDITIONPROCLPENUMFORMATETCLPFNDFMCALLBACKLPLOGCOLORSPACELPMESSAGEFILTERLPOLECLIENTSITELPPAGEPAINTHOOKLPPAGESETUPHOOKLPPRINTHOOKPROCLPSETUPHOOKPROCLPSHQUERYRBINFOLPWSAOVERLAPPEDLWBTBVCITWI2025Length RequiredLoadLibraryExA

memstr_16003103-2

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_0040CA14 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,		5_2_0040CA14
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_0040CA14 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,		10_2_0040CA14

Source: Yara match	File source: 55.2.LetsPRO.exe.68030000.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: LetsPRO.exe PID: 8464, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\letsvpn\app-3.8.0\libwin.dll, type: DROPPED

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\tap0901.cat (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\driver\tap0901.cat	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	File created: C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\tap0901.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\SET98BE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	File created: C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\SET9776.tmp	Jump to dropped file

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files (x86)\Common Files\wegame.exe

Code function: 6_2_6C614908: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,memset,DeviceIoControl,memset,memset,memset,isalnum,isalnum,GetLastError,FindCloseChangeNotification,

6_2_6C614908

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Code function: 8_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

8_2_0040338F

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

File created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\61335c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D01.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D02.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DDE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E0E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E8C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3EAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3EDC.tmp	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET9E3C.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET9E3C.tmp

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3D02.tmp

Jump to behavior

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCB18B	3_2_00BCB18B
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BD3929	3_2_00BD3929
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCA95F	3_2_00BCA95F
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC7B91	3_2_00BC7B91
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCAC09	3_2_00BCAC09
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCA5ED	3_2_00BCA5ED
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BD2D55	3_2_00BD2D55
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCA540	3_2_00BCA540
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCAED0	3_2_00BCAED0
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004301D2	5_2_004301D2
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_0040E1EC	5_2_0040E1EC
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004221AB	5_2_004221AB
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00431316	5_2_00431316
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_0042931D	5_2_0042931D
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00433386	5_2_00433386
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00421590	5_2_00421590
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004225B7	5_2_004225B7
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00430714	5_2_00430714
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004257D2	5_2_004257D2
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00421904	5_2_00421904
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004229D7	5_2_004229D7
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00430C56	5_2_00430C56
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_0042CC67	5_2_0042CC67
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00421DD7	5_2_00421DD7
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00450039	6_2_00450039
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004240D0	6_2_004240D0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00450262	6_2_00450262
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00406380	6_2_00406380
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0042E4A0	6_2_0042E4A0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0045050D	6_2_0045050D
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00424510	6_2_00424510
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0042E710	6_2_0042E710
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00424730	6_2_00424730
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0042C7C0	6_2_0042C7C0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004507CA	6_2_004507CA
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0041E800	6_2_0041E800
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004328E0	6_2_004328E0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004308F0	6_2_004308F0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0042E930	6_2_0042E930
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00436A20	6_2_00436A20
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00428B60	6_2_00428B60
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00422BD0	6_2_00422BD0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00438DE0	6_2_00438DE0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00426FC0	6_2_00426FC0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00424FA0	6_2_00424FA0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00429288	6_2_00429288
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00431370	6_2_00431370
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004294D3	6_2_004294D3
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004055C0	6_2_004055C0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00423690	6_2_00423690
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004318A0	6_2_004318A0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00437A20	6_2_00437A20
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00433A30	6_2_00433A30
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00415CE0	6_2_00415CE0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00431D80	6_2_00431D80
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00419E70	6_2_00419E70
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0044FE01	6_2_0044FE01
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C52CC00	6_2_6C52CC00
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C501528	6_2_6C501528
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C501672	6_2_6C501672
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5608E0	6_2_6C5608E0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C52A4C0	6_2_6C52A4C0
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C556500	6_2_6C556500
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C51E600	6_2_6C51E600
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C556500	6_2_6C556500
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C501672	6_2_6C501672
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C501528	6_2_6C501528
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C556500	6_2_6C556500
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C50B1A0	6_2_6C50B1A0
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_00406B15	8_2_00406B15
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_004072EC	8_2_004072EC
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_00404C9E	8_2_00404C9E
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004301D2	10_2_004301D2
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_0040E1EC	10_2_0040E1EC
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004221AB	10_2_004221AB
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00431316	10_2_00431316
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_0042931D	10_2_0042931D
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00433386	10_2_00433386
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00421590	10_2_00421590
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004225B7	10_2_004225B7
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00430714	10_2_00430714
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004257D2	10_2_004257D2
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00421904	10_2_00421904
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004229D7	10_2_004229D7
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00430C56	10_2_00430C56
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_0042CC67	10_2_0042CC67
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00421DD7	10_2_00421DD7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02E5B4B8	24_2_02E5B4B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02E5B4A8	24_2_02E5B4A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_08843AA8	24_2_08843AA8

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Common Files\Lua51.dll 7FA367A644670ED94A01BC0927996D93B82EA2658BB7D84C99C648F12B6A61F1
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Common Files\adapt_for_imports.dll 96AEA19B11327AE4200396E84F06A4746A926F43B688C22E60B370DED1CF6D58
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Common Files\beacon_sdk.dll B5DF19432F50AD434CA860173C9EB0DC6FDFACA48F75A3B416D038C213D089DA
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Common Files\common.dll 2E21F70ADCBE5FE3D51EB9236FC23E071E675C802BFEEC2CA5C0A41EEF35E9A2

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Process token adjusted: Load Driver

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: String function: 00BC8C30 appears 40 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 00421528 appears 104 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 00421040 appears 78 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 0042100D appears 280 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 00425160 appears 46 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 0042047E appears 32 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 004046E0 appears 62 times
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: String function: 004104B8 appears 54 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 00420F10 appears 62 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 00467B2C appears 38 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 00467AC1 appears 288 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 00467A6B appears 66 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 004137A0 appears 127 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 00467AF5 appears 135 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 0043F2BB appears 107 times
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: String function: 6C6ABF6F appears 48 times

Source: lets-test.msi	Binary or memory string: OriginalFilenameuserAccounts.dllF vs lets-test.msi
Source: lets-test.msi	Binary or memory string: OriginalFilenameaischeduler.dllF vs lets-test.msi
Source: lets-test.msi	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs lets-test.msi

Source: Utils.dll.8.dr, EncryptionHelper.cs

Base64 encoded string: 'MmnG6VOR+WnZS9H1nUImgh51Osbv1HNbg0tmihNKIe56P70uL5Qpu7Pg5BRk5AHEN7JjJBMMg3K+zTtV1yr5Z4OUpvRNri102lHcvY0xDlrDpER1nsJylqsBoy24674eg5Pyf3n55VkkXWX2Plb+wrLs7sPC+KmgyOhFif4ZESQXqTS/q+Cy+EtUFZRYqDg3wLkTAIUg1Y7TO+me6hpjVKfavGaVZK1R87D+dwnC6O2GqA12ZUWUCoJF+py6stRs8RpFoxKdoMxM4mXOakl31jpmLW9rBvYUNccWVwfNyGADglRdMjx+Knx+Ab4Ca/RMsF15MI+IIUAV0kbgkZTtN6VeLZELo1C99hV/Ot4T1yJwAA4zU9fkRdwuv86e2+f4n8Ibntyh6By9eV3rJQ5FOZE+Wu+N1Yjkhn0JuoRSNmlY4o+qMvv//2zJm0rK3xXL7L9T6zz/CXllU+qIEXFd67uS1taBykurfdYqbNy1BXZwSqPLpWUQt1Icr3fwdORhEvVZi3TX5PkUtYY2omHSmrFDIX5IRDpvcNSgNyGBjeeXXtOgxSXviM5dkg+010rGN1m7sU5zEgGH8h5f+iLJTyk7ZYE6NeZUnz6ueYCm2tfkXABcJGcizm9NR4WFXgUyVhmShAKnl/ibHfEI8IykY6PDIZbRv3AdfG8tZnqZeb8NYKFOzumRpA8MmmIFMvImu/JWb/SP0WbUZWg3Lt39f1EUnTe2+6HgXCXMCf39SoSNiuSWVDux7rte2dtYRwNssXKSMtXbSw12nG08+UE+k428PU/ZA7d/r+InLoUCZlprYMzd3lqJOLwnpGAJI+0KeAlyg86ZXGP2GukkIGjG8idjKBWpvqL/euEHNNfBIqpIdAjuQAKXsmeRq7fc2sC+ntLiUtuG0iu4Pr5THZBcNX9g+iSxZNCrZ1ShbcFzZ0tej74Xk64QWcLkjH9xQ5v6k/I02zDp+4XpQ6/iFL87Bh9jJD7ZtbMV3cWL3I5xQULhfw/475Ip0jnBfXY+JArydLESbTrWhGcNo1BYO5SRy+FPuP6IH1knm0v4VZlacAELHL6IzUfmjtagkFs3hGDkzYGKEJ6xFGmgRjhmUcWfLCp7Xwkl0IM5FJw21IfQpQojn8S5Lj2KPQkE1WkNkhJx/j3fLMLgbNfrfjeo9pWPFQo6byGz+K+PJ+Cwo0ZbttwUYL2GucrayJxqPShrxKLFb9v3iCWLIYMVcfgA7LpXdS+6lmOUZxrepO0jSugA5fQv8kHvvwkA0DQwU85yViJVK94hBaY75RKqwiI4Tfsqu5pFoq0Z6uCwJ5gfpbG/hF8wqoj0ybbFt1b+QQdS8cEjZtnS/LyLvl35oLIF4q2J/oda0ESYRsx8wA7UGAK8KKDGyOihfXywxgE4CU3ko1PNy9A6KZBaYzertv3uHeBJH2JC9H1qErVSG8dIk3BbAVtIsJ+OMEbbS+mSuMa42Fl5hLjwbB4V7K2iWEp+w+JZ+1NTCJxXqZze/YLwg/UPb/HJyqAqKkFku8ctNUPqsVtu2FjqDSEezp5stKsqsjyfdBAouLetvlrlp5lMOyd12Yi4VTlu/8AXRFbWCFf73feCj8NULfc0vqfjSfZ0HoirsvomNYn5GABtU75DiKOZgptCEYzfPnmcx6M6F2DgYB4ITTP2XV8+ousV7sEOSw18Gd40lSQmi25bmKUAnKIINhyki0IX/76e6LdYfvWWJTGzFOiZ+KuufFS0vTZEQnVnEpXviz+DqyQzKxiWVAId8mdXOZv4rmDXjeEEOkqLe/ZoIT8udAy+xRdhHXyTpnDj9VoU4oVIkwGg/scKxIrRn7FzcVEk6o7V4cmgGcOwmf42JYy92F+xZu0Ro4Fx4aMpR63P/UADAfidp59dPBJBJrEtVeBkVqposXpKcFYPHKHdyq6FRzAd2aM8RzmVaWiIadl4YDXNN7IiAAMv+G0MqmgBwKHWdhqac2eLRn+giLEwJgiqSUpeedeXobdqZOF6uoJ2jTmxgzBgyVqvGXkKKex5ZnskC9P7EQXhHEGZ5L0KhXgtHxPIZ4coRlfaepVbIq12quYqN3Y3WgfCrmZ4BAQf2h3TMgwUSYCHrHlAPapjT+NLeoJYvaxlY3Z8aB6G3JCcQ4fCeVo0c0mw+wDFOnfaxr26DsReIde+o7I6nOyqag1Reg13GlDzshLN35WmPHDwc2XDUD+vaNQBYBg0ED99UPxjaptvHdgxABfLVNieAxL7UBc327uKcl+n4fs69fwdsQGWIw7d2vSpKjFyalG/1EDHvq1Cgh5LmAAiyyTnBTa76nzQrIK+37hTO+vRBKdsgkdnET+DPNNRv5aR1RWJABSBJV3kV23SxxMjMmqIIr2DxgROOmspYZZ4AK9o8cT7tJBaHWvan0aplwcb/ALoWFBLDweGa0Dc+JXFHhwd4nKy8mRdC7IKZJzUlfEukKXvmEB19fWKvfOfHQkxQEwSss9LO+QQ3BKdjGjrKFDsKIpfUotoSH85KG9+pndOXxD7xDbNsPajtxFMXZxydh7xIK91+P7ekRN7gjMUIoDSs3jhOtpqG5+yYxTgT7PwCU1RCTqD9mG2rIioUsS1+Oz8OYHJvuYvBFzQftJDSkeaP1Ib2kHlFEP5ZLnLbiPAVKyW3RqoMPqXDFpkRl8qyo6YGigP2h5AP3EyxAZ3olZuqIjNKb1aKngO0rADdgNg2X5bTej3eD5w/+5S77oPj2mXnIZAseCrhysxuZTaY4HR3jWLMud8aGpMIREdjIUcRo/Jlpoch5RpLLjxQAOKhLm0zuq75naOqzDyphDiXEbvavcEFHuLHFjfUFjfkFoZuWG2sttUMeOJ+NnL7JaoSSe/WFI4S4s+OIpe2yJoWCJZX4O3n2kHoapNgQz8eEcZyPvx6WCuo55UYfUa6nbOGtCyUm8027mv/8w2QrZAFxJPhf1+I10kFp6MoO1ho/RAVvEv3j1gQXDgvsGxEpkN0TWtzHCOmai74md

Source: classification engine

Classification label: mal84.troj.spyw.evad.winMSI@118/595@27/19

Source: C:\Program Files (x86)\Common Files\wegame.exe

Code function: 6_2_6C524640 GetLastError,FormatMessageA,

6_2_6C524640

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

8_2_0040338F

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Code function: 8_2_00404722 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

8_2_00404722

Source: C:\Program Files (x86)\Common Files\wegame.exe

Code function: 6_2_00456E02 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,memset,CloseHandle,OpenProcess,GetModuleFileNameExW,K32GetModuleFileNameExW,SimpleUString::operator=,memset,_wsplitpath_s,SimpleUString::operator=,FindCloseChangeNotification,Process32Next,FindCloseChangeNotification,

6_2_00456E02

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Code function: 8_2_00402104 CoCreateInstance,

8_2_00402104

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Code function: 5_2_0040F158 FindResourceW,LoadResource,LockResource,FreeResource,

5_2_0040F158

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\1etsvpn

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML3E68.tmp

Jump to behavior

Source: C:\Windows\System32\drvinst.exe	Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Program Files (x86)\Common Files\wegame.exe	Mutant created: \Sessions\1\BaseNamedObjects\_TGP_EXISTS_MUTEX_NAME_
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Program Files (x86)_letsvpn_app-3.8.0_Log_
Source: C:\Program Files (x86)\Common Files\wegame.exe	Mutant created: \Sessions\1\BaseNamedObjects\WeGameCN_Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Program Files (x86)\Common Files\wegame.exe	Mutant created: \Sessions\1\BaseNamedObjects\446e43c4-a90f-56a2-a09d-e5123a135e92
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF76C1447C2DDEB1A0.TMP

Jump to behavior

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wegame.exe, 00000006.00000002.4143954280.000000006CECB000.00000002.00000001.01000000.0000000C.sdmp, LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: wegame.exe, 00000006.00000002.4143954280.000000006CECB000.00000002.00000001.01000000.0000000C.sdmp, LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LetsPRO.exe, 00000037.00000002.4180752320.00000000309C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Select MACAddress From Win32_NetworkAdapter WHERE ((MACAddress Is Not NULL) AND (Manufacturer <> 'Microsoft'));5
Source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: wegame.exe	String found in binary or memory: -launcher=
Source: wegame.exe	String found in binary or memory: -launcher

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\lets-test.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A5D05F387DF25EBE7AE8DA514E37EF3C
Source: unknown	Process created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\wegame.exe "C:\Program Files (x86)\Common Files\wegame.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM.exe "C:\Program Files (x86)\haxGhXjmBFM.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1900,i,16840921317244570798,13407743960639991352,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4204 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\letsvpn\driver"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000158"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2084,i,12025234242823261480,2093702470493136090,262144 /prefetch:3
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Process created: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A5D05F387DF25EBE7AE8DA514E37EF3C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM.exe "C:\Program Files (x86)\haxGhXjmBFM.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1900,i,16840921317244570798,13407743960639991352,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4204 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\letsvpn\driver"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000158"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2084,i,12025234242823261480,2093702470493136090,262144 /prefetch:3
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Process created: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: adapt_for_imports.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: lua51.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: common.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: beacon_sdk.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\wegame.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: spinf.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: drvstore.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: newdev.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: spinf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: drvstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Automated click: Next >
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lets-test.msi

Static file information: File size 52425728 > 1048576

Source:	Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: LetsPRO.exe, 00000037.00000002.4143079506.00000000032F2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\git\wegame_paas\beacon_report_cpp\beacon_sdk\Release\beacon_sdk.pdb source: wegame.exe, 00000006.00000002.4143954280.000000006CECB000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: LetsPRO.exe, 00000037.00000002.4168244500.00000000067E2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\userAccounts.pdb source: lets-test.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: lets-test.msi
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\bin\Release\wegame.pdbmm1GCTL source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: lp)rlkeyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: LetsPRO.exe, 00000037.00000002.4201314539.0000000037A82000.00000002.00000001.01000000.00000033.sdmp
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: LetsPRO.exe, 00000037.00000002.4256167829.0000000067067000.00000002.00000001.01000000.00000031.sdmp
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: tapinstall.exe, 0000001E.00000002.1912221093.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.1910661790.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000000.1913117233.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000002.1953276492.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000002.1972779400.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000000.1970876937.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4178693283.00000000300B2000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: LetsPRO.exe, 00000037.00000002.4214834576.00000000387E2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb@ source: lets-test.msi
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034AB5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: LetsPRO.exe, 00000037.00000002.4187448131.00000000317A2000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\netfx\System.Net.Http.pdb source: LetsPRO.exe, 00000037.00000002.4224367182.00000000392B2000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\userAccounts.pdbQ source: lets-test.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: lets-test.msi
Source:	Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: haxGhXjmBFM.exe, 00000008.00000003.2031982869.0000000000751000.00000004.00000020.00020000.00000000.sdmp, haxGhXjmBFM.exe, 00000008.00000002.2033229713.0000000000751000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4187448131.00000000317A2000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: LetsPRO.exe, 00000037.00000002.4178819054.00000000300C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: lets-test.msi
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: LetsPRO.exe, 00000037.00000002.4162624461.00000000059D2000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdbwD source: LetsPRO.exe, 00000037.00000002.4162624461.00000000059D2000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: e:\newclientmail\trunk\code\errorreport\release\ErrorReport.pdb source: LetsPRO.exe, 00000005.00000000.1716952895.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 00000005.00000002.1723561398.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000A.00000000.1717732510.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000A.00000002.1718436135.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000B.00000000.1717785516.0000000000436000.00000002.00000001.01000000.00000005.sdmp, LetsPRO.exe, 0000000B.00000002.1718664733.0000000000436000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LetsPRO.exe, 00000037.00000002.4168359295.00000000067F2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: W.PDb source: haxGhXjmBFM.exe.1.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: LetsPRO.exe, 00000037.00000002.4178819054.00000000300C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: LetsPRO.exe, 00000037.00000002.4214834576.00000000387E2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: drvinst.exe, 00000023.00000003.1927968266.000002092AA5C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000024.00000003.1942016589.0000014379274000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb]KwK iK_CorDllMainmscoree.dll source: LetsPRO.exe, 00000037.00000002.4168992457.0000000006FB2000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: LetsPRO.exe, 00000037.00000002.4214552147.00000000387C2000.00000002.00000001.01000000.00000037.sdmp
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: LetsPRO.exe, 00000037.00000002.4213951978.00000000385D2000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LetsPRO.exe, 00000037.00000002.4168580863.0000000006E72000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\lib\Release\common.pdb source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp, wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 00000003.00000000.1714533986.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000003.00000002.1724304213.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000007.00000000.1717340757.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000007.00000002.1718433574.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000009.00000002.1718643469.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000009.00000000.1717405600.0000000000BDD000.00000002.00000001.01000000.00000003.sdmp, LetsPRO.exe, 00000036.00000000.2029609057.00000000004AD000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000036.00000002.2041845468.00000000004AD000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp, wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdbm source: LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\bin\Release\wegame.pdb source: wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: LetsPRO.exe, 00000037.00000002.4168992457.0000000006FB2000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: LetsPRO.exe, 00000037.00000002.4168104099.0000000006772000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: LetsPRO.exe, 00000037.00000002.4196069676.00000000371F2000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LetsPRO.exe, 00000037.00000002.4196250023.0000000037212000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: LetsPRO.exe, 00000037.00000002.4168104099.0000000006772000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4196250023.0000000037212000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: E:\dailybuild_fix_5.4\wegame_client\build\lib\Release\adapt_for_imports.pdb source: wegame.exe, 00000006.00000002.4143381615.000000006C98C000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: LetsPRO.exe, 00000037.00000002.4178693283.00000000300B2000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: tapinstall.exe, 0000001E.00000002.1912221093.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.1910661790.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000000.1913117233.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000020.00000002.1953276492.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000002.1972779400.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000032.00000000.1970876937.00007FF7BEED1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: LetsPRO.exe, 00000037.00000002.4214552147.00000000387C2000.00000002.00000001.01000000.00000037.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4195831415.0000000035422000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: LetsPRO.exe, 00000037.00000002.4213951978.00000000385D2000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: LetsPRO.exe, 00000037.00000002.4168244500.00000000067E2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: keyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LetsPRO.exe, 00000037.00000002.4196069676.00000000371F2000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\git\wegame_client\dependences\Lua\include\lua51.pdb source: wegame.exe, 00000006.00000002.4141048756.000000006C57A000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034AB5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: LetsPRO.exe, 00000037.00000002.4195831415.0000000035422000.00000002.00000001.01000000.0000002E.sdmp

Source: System.Web.Services.Description.dll.8.dr

Static PE information: 0xBC7E1473 [Tue Mar 18 14:42:59 2070 UTC]

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Code function: 5_2_0042C3DA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

5_2_0042C3DA

Source: beacon_sdk.dll.1.dr	Static PE information: section name: .QMGuid
Source: common.dll.1.dr	Static PE information: section name: .QMGuid
Source: Lua51.dll.1.dr	Static PE information: section name: .00cfg
Source: MSI3D02.tmp.1.dr	Static PE information: section name: .didat
Source: MSI3E8C.tmp.1.dr	Static PE information: section name: .didat
Source: MSI3EAC.tmp.1.dr	Static PE information: section name: .didat
Source: MSI3EDC.tmp.1.dr	Static PE information: section name: .didat

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC8835 push ecx; ret	3_2_00BC8848
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC8C76 push ecx; ret	3_2_00BC8C89
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004210E5 push ecx; ret	5_2_004210F8
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_0042156D push ecx; ret	5_2_00421580
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00469146 push ecx; ret	6_2_00469159
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00467A8A push ecx; ret	6_2_00467A9D
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C501037 push ecx; ret	6_2_6C576FC9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5010FF push ecx; ret	6_2_6C506BB9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C5063DD push ebp; ret	6_2_6C50640E
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004210E5 push ecx; ret	10_2_004210F8
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_0042156D push ecx; ret	10_2_00421580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02E55DD0 push esp; ret	24_2_02E55DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_076566DB push FFFFFFE8h; iretd	24_2_076566DD

Source: msvcr100.dll.1.dr

Static PE information: section name: .text entropy: 6.910468675356735

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,memset,DeviceIoControl,memset,memset,memset,isalnum,isalnum,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive%d		6_2_6C614908
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,DeviceIoControl,memset,memset,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d		6_2_6C61468C

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

File created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all

Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Ping.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\WindowsInput.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.SqlClient.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\microsoft.identitymodel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ja\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Crashes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\beacon_sdk.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Ports.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Principal.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\tr\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Squirrel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ICSharpCode.AvalonEdit.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.PerformanceCounter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DDE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ru\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.WinForms.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3EDC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\common.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\adapt_for_imports.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ToastNotifications.Messages.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.AppContext.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\es\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\haxGhXjmBFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Pdb.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\FontAwesome.WPF.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Mdb.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Core.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET9E3C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Web.Services.Description.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-Hans\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-MO\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Users\user\AppData\Local\Temp\nst47D0.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Hardcodet.Wpf.TaskbarNotification.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Users\user\AppData\Local\Temp\nst47D0.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-TW\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPROCHS.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Analytics.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\pt-BR\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-SG\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\tap0901.sys (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-HK\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensionsAsync.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\CommunityToolkit.Mvvm.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ru\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-CN\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Syndication.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Packaging.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\ndp462-web.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\fr\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ko\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Http.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Requests.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.nativelibrary.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3EAC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.PatchApi.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Compression.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLite-net.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ObjectModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.MsDelta.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\NuGet.Squirrel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\arm64\WebView2Loader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Security.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\ToastNotifications.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\pl\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Claims.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\Update.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Configuration.ConfigurationManager.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\zh-Hant\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E8C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.OleDb.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Management.Automation.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.IPNetwork.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\SET98CF.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\WebSocket4Net.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\de\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x64\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Rocks.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\x64\WebView2Loader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Bcl.AsyncInterfaces.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\msvcr100.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\uninst.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\MdXaml.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.NetTcp.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\log4net.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-arm\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Duplex.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.CodeDom.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\cs\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Http.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Wpf.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D02.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Users\user\AppData\Local\Temp\nst47D0.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.Odbc.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\x86\WebView2Loader.dll	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	File created: C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\SET97A6.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SharpCompress.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\libwin.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\it\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\msvcp100.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\wegame.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	File created: C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Lua51.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E0E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNInfraStructure.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Security.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Permissions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Xml.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\haxGhXjmBFM.exe

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DDE.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\tap0901.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E8C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E0E.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\SET98CF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D02.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3EAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3EDC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET9E3C.tmp	Jump to dropped file

Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00458459 ?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,FindWindowW,GetTickCount,PostMessageA,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,GetPrivateProfileIntW,?get_log_instance@base@@YAPAVILogger@1@XZ,WritePrivateProfileStringW,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z,GetTickCount,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?GetCurrentStage@Qos@qos@adapt_for_imports@ierd_tgp@@QAE?AW4ProcessStage@234@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z,Sleep,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,	6_2_00458459
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0045A90F __EH_prolog3_GS,?GetUpdatedFilePath@silence_update@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PB_W0@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z,?remove_filename@path@filesystem@ierd_tgp@@QAEAAV123@XZ,GetPrivateProfileIntW,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,	6_2_0045A90F
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00457BEC __EH_prolog3_catch_GS,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,SimpleUString::operator=,?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ,?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ,?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z,?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z,?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ,?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,WaitForSingleObject,?file_exists@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,??Bios_base@std@@QBE_NXZ,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetCrashInfo@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUCrashInfo@234@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,FindWindowW,GetTickCount,PostMessageA,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,GetPrivateProfileIntW,?get_log_instance@base@@YAPAVILogger@1@XZ,WritePrivateProfileStringW,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z,GetTickCount,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?GetCurrentStage@Qos@qos@adapt_for_imports@ierd_tgp@@QAE?AW4ProcessStage@234@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z,OutputDebugStringA,Sleep,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,	6_2_00457BEC

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,memset,DeviceIoControl,memset,memset,memset,isalnum,isalnum,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive%d		6_2_6C614908
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,DeviceIoControl,memset,memset,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d		6_2_6C61468C

Creates multiple autostart registry keys

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO

Source: C:\Windows\System32\drvinst.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage

Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\LetsVPN.lnk	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\Uninstall.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_0040A238 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_0040A238
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_004019A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	5_2_004019A0
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_0040A238 IsIconic,GetWindowPlacement,GetWindowRect,	10_2_0040A238
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_004019A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	10_2_004019A0

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Code function: 3_2_00BC7B91 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00BC7B91

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID="{2B9A5297-5294-4B1F-96F3-7829AB1F54EE}"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID="10"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select MACAddress From Win32_NetworkAdapter WHERE ((MACAddress Is Not NULL) AND (Manufacturer <> 'Microsoft'))
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID="{2B9A5297-5294-4B1F-96F3-7829AB1F54EE}"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_networkadapterconfiguration where ServiceName = 'tap0901'
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID="{2B9A5297-5294-4B1F-96F3-7829AB1F54EE}"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID="10"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID="{2B9A5297-5294-4B1F-96F3-7829AB1F54EE}"

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Memory allocated: 17F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Memory allocated: 3370000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Memory allocated: 5370000 memory reserve \| memory write watch

Source: C:\Program Files (x86)\Common Files\wegame.exe

Code function: 6_2_0045B61D __EH_prolog3_GS,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,SimpleUString::operator=,?extract_name@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV34@@Z,OpenProcess,SetLastError,TerminateProcess,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,CloseHandle,Process32NextW,CloseHandle,

6_2_0045B61D

Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: ?get_first_mac@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,__EH_prolog3_catch_GS,GetAdaptersInfo,GetAdaptersInfo,?get_log_instance@base@@YAPAVILogger@1@XZ,__Init_thread_footer,		6_2_6C61722F
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: memset,GetSystemDirectoryA,PathAppendA,LoadLibraryA,GetProcAddress,GetAdaptersInfo,memset,FreeLibrary,memset,		6_2_6C614FDF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Thread delayed: delay time: 300000

Source: C:\Program Files (x86)\Common Files\wegame.exe	Window / User API: threadDelayed 7119	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1748	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6618
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3007
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Window / User API: threadDelayed 6483
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Window / User API: threadDelayed 2344

Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Packaging.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Ping.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\ndp462-web.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\WindowsInput.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.SqlClient.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Http.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Requests.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.nativelibrary.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3EAC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.PatchApi.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Compression.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLite-net.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ObjectModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\NuGet.Squirrel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.MsDelta.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\arm64\WebView2Loader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\microsoft.identitymodel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Security.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\ToastNotifications.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Ports.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Claims.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Principal.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Squirrel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\Update.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\ICSharpCode.AvalonEdit.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.PerformanceCounter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3DDE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Configuration.ConfigurationManager.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.OleDb.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3E8C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Management.Automation.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\SET98CF.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.IPNetwork.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\WebSocket4Net.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.WinForms.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x64\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3EDC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Rocks.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\x64\WebView2Loader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.AppContext.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\uninst.exe	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\MdXaml.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.NetTcp.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Memory.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-arm\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\log4net.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Duplex.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Pdb.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.CodeDom.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\FontAwesome.WPF.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Http.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Wpf.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D02.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Mdb.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SET9E3C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Web.Services.Description.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst47D0.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.Odbc.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\x86\WebView2Loader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.dll	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\SET97A6.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SharpCompress.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst47D0.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\libwin.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Hardcodet.Wpf.TaskbarNotification.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\driver\tap0901.sys	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst47D0.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Analytics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPROCHS.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\msvcp100.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{99f02b5e-0c7c-d542-ad44-27ce9be55c97}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\tap0901.sys (copy)	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3E0E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensionsAsync.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Security.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNInfraStructure.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\CommunityToolkit.Mvvm.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Permissions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Syndication.dll	Jump to dropped file
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Csp.dll	Jump to dropped file

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_5-27452

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	API coverage: 8.0 %
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	API coverage: 3.8 %
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	API coverage: 4.4 %

Source: C:\Program Files (x86)\Common Files\wegame.exe TID: 7804	Thread sleep time: -35595s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7172	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8476	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe TID: 8828	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe TID: 8916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe TID: 8892	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe TID: 8964	Thread sleep time: -6300000s >= -30000s

Source: C:\Program Files (x86)\Common Files\wegame.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select SerialNumber From Win32_BIOS
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Common Files\wegame.exe

Thread sleep count: Count: 7119 delay: -5

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC4318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,	3_2_00BC4318
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00404F4D __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	5_2_00404F4D
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0045CBDF __EH_prolog3_GS,memset,GetModuleFileNameW,?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,memset,FindFirstFileW,memset,wcsncpy_s,wcsncat_s,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindClose,	6_2_0045CBDF
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004570C9 __EH_prolog3_GS,memset,memset,FindFirstFileW,memset,wcscmp,wcscmp,memset,DeleteFileW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,	6_2_004570C9
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00457307 __EH_prolog3_GS,memset,GetEnvironmentVariableW,?get_log_instance@base@@YAPAVILogger@1@XZ,memset,GetModuleFileNameW,wcsrchr,SimpleUString::operator=,memset,GetFileAttributesW,memset,memset,FindFirstFileW,memset,wcscmp,SimpleUString::operator=,wcscmp,wcscmp,FindNextFileW,FindClose,?get_log_instance@base@@YAPAVILogger@1@XZ,	6_2_00457307
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0040F710 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memset,FindFirstFileW,wcscpy_s,_invalid_parameter_noinfo_noreturn,	6_2_0040F710
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_004059CC
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_004065FD FindFirstFileW,FindClose,	8_2_004065FD
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Code function: 8_2_00402868 FindFirstFileW,	8_2_00402868
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00404F4D __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	10_2_00404F4D

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Code function: 5_2_004201A0 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

5_2_004201A0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Thread delayed: delay time: 300000

Source: wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: WQLSELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUEroot\cimv2Win32_NetworkAdapterConfigurationSetDNSServerSearchOrderDNSServerSearchOrderIndexCaptionvmwarevirtualWin32_NetworkAdapterConfiguration.Index=%d[repair_dns] success.
Source: LetsPRO.exe, 00000037.00000002.4192171082.0000000034D36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes_\
Source: LetsPRO.exe, 00000037.00000002.4193390857.0000000034E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034C3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000025.00000003.1947828604.000001CB07517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@ethernetwlanppipvmnetextension7A}
Source: LetsPRO.exe, 00000037.00000002.4190761918.0000000034CB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034C3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System Product52Z18771434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney*
Source: LetsPRO.exe, 0000000A.00000002.1718865144.0000000000679000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: LetsPRO.exe, 0000000B.00000002.1719096774.0000000000589000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: svchost.exe, 0000000E.00000002.4142337286.00000177F8E5A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4165069289.0000000006110000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q)Hyper-V Hypervisor Root Virtual Processor
Source: LetsPRO.exe, 00000037.00000002.4203867264.0000000037DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service0S
Source: LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition']2d
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: LetsPRO.exe, 00000037.00000002.4137864478.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V xvwtwlbhtgklnyc Bus
Source: LetsPRO.exe, 00000037.00000002.4137864478.0000000001654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V xvwtwlbhtgklnyc Bus PipesI
Source: wegame.exe, 00000006.00000002.4138012300.0000000000762000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000038.00000002.4137542306.00000249B2069000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: LetsPRO.exe, 00000037.00000002.4166122797.00000000061A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q$Hyper-V Hypervisor Logical Processor
Source: lets-test.msi	Binary or memory string: S-1-0Null AuthorityS-1-0-0NobodyS-1-1World AuthorityS-1-2Local AuthorityS-1-2-0LocalS-1-2-1Console LogonS-1-3Creator AuthorityS-1-3-0Creator OwnerS-1-3-1Creator GroupS-1-3-2Creator Owner ServerS-1-3-3Creator Group ServerS-1-5-80-0All ServicesS-1-4Non-unique AuthorityS-1-5NT AuthorityS-1-5-1DialupS-1-5-2NetworkS-1-5-3BatchS-1-5-4InteractiveS-1-5-6ServiceS-1-5-7AnonymousS-1-5-8ProxyS-1-5-9Enterprise Domain ControllersS-1-5-10Principal SelfS-1-5-11Authenticated UsersS-1-5-12Restricted CodeS-1-5-13Terminal Server UsersS-1-5-14Remote Interactive LogonS-1-5-15This OrganizationS-1-5-17Local SystemS-1-5-19S-1-5-20AdministratorsS-1-5-32-545UsersS-1-5-32-546GuestsS-1-5-32-547Power UsersS-1-5-32-548Account OperatorsS-1-5-32-549Server OperatorsS-1-5-32-550Print OperatorsS-1-5-32-551Backup OperatorsS-1-5-32-552ReplicatorsS-1-5-64-10NTLM AuthenticationS-1-5-64-14SChannel AuthenticationS-1-5-64-21Digest AuthenticationS-1-5-80NT ServiceS-1-5-83-0NT VIRTUAL MACHINE\Virtual MachinesS-1-16-0Untrusted Mandatory LevelS-1-16-4096Low Mandatory LevelS-1-16-8192Medium Mandatory LevelS-1-16-8448Medium Plus Mandatory LevelS-1-16-12288High Mandatory LevelS-1-16-16384System Mandatory LevelS-1-16-20480Protected Process Mandatory LevelS-1-16-28672Secure Process Mandatory LevelS-1-5-32-554BUILTIN\Pre-Windows 2000 Compatible AccessS-1-5-32-555BUILTIN\Remote Desktop UsersS-1-5-32-556BUILTIN\Network Configuration OperatorsS-1-5-32-557BUILTIN\Incoming Forest Trust BuildersS-1-5-32-558BUILTIN\Performance Monitor UsersS-1-5-32-559BUILTIN\Performance Log UsersS-1-5-32-560BUILTIN\Windows Authorization Access GroupS-1-5-32-561BUILTIN\Terminal Server License ServersS-1-5-32-562BUILTIN\Distributed COM UsersS-1-5-32-569BUILTIN\Cryptographic OperatorsS-1-5-32-573BUILTIN\Event Log ReadersS-1-5-32-574BUILTIN\Certificate Service DCOM AccessS-1-5-32-575BUILTIN\RDS Remote Access ServersS-1-5-32-576BUILTIN\RDS Endpoint ServersS-1-5-32-577BUILTIN\RDS Management ServersS-1-5-32-578BUILTIN\Hyper-V AdministratorsS-1-5-32-579BUILTIN\Access Control Assistance Operators
Source: wegame.exe	Binary or memory string: vmware
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q*Hyper-V Dynamic Memory Integration Service
Source: LetsPRO.exe, 00000037.00000002.4190761918.0000000034CB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: svchost.exe, 0000000E.00000002.4138873670.00000177F382B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000025.00000003.1947598417.000001CB07521000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@vmnetextension
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q!Hyper-V Hypervisor Root Partition
Source: svchost.exe, 00000038.00000002.4137207566.00000249B2000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: LetsPRO.exe, 00000005.00000002.1724458157.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: svchost.exe, 00000025.00000003.1947985539.000001CB0753A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @vmnetextension
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q!Hyper-V Virtual Machine Bus Pipes

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Program Files (x86)\Common Files\wegame.exe

Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep

graph_6-74613

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Code function: 3_2_00BCDAD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00BCDAD2

Source: C:\Program Files (x86)\Common Files\wegame.exe

Code function: 6_2_004660C6 __EH_prolog3_catch_GS,GetCommandLineW,SimpleUString::operator=,MessageBoxA,strcmp,?stamp_init@@YAXXZ,?stamp_point@@YAXPBD@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?get_client_id@util_client_info@ierd_tgp@@YAHXZ,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@@Z,?get_process_count@util_multi_instance@ierd_tgp@@YAHPBD@Z,?set_same_client_type_multi_instance@util_multi_instance@ierd_tgp@@YAX_N@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetIsMultiInstance@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_N@Z,?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z,OutputDebugStringA,CreateMutexA,GetLastError,?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z,OpenEventA,SetEvent,CloseHandle,CloseHandle,CloseHandle,CloseHandle,?get_log_instance@base@@YAPAVILogger@1@XZ,GetCurrentProcess,TerminateProcess,?sync_proxy_settings@client_helper@net@ierd_tgp@@YAXXZ,_stricmp,_stricmp,?enable_static_detail_log@common@ierd_tgp@@YAX_N@Z,_stricmp,?enable_profile_on@common@ierd_tgp@@YAX_N@Z,_stricmp,?enable_offline_mode_on@common@ierd_tgp@@YAX_N@Z,_stricmp,?set_restart_after_update@common@ierd_tgp@@YAX_N@Z,?set_quick_login_uin@common@ierd_tgp@@YAXK@Z,?set_start_from_host@common@ierd_tgp@@YAX_N@Z,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@@Z,?enable_offline_mode_on@common@ierd_tgp@@YAX_N@Z,?set_offline_login_account@common@ierd_tgp@@YAX_K@Z,GetCommandLineW,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?set_game_launcher_flag@common@ierd_tgp@@YAX_N@Z,?set_game_launcher_msg@common@ierd_tgp@@YAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_launcher_info@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_K@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?is_offline_mode_on@common@ierd_tgp@@YA_NXZ,?set_game_launcher_flag@common@ierd_tgp@@YAX_N@Z,?set_game_launcher_msg@common@ierd_tgp@@YAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?IsSubWegameProcess@util_multi_instance@ierd_tgp@@YA_NXZ,PathFileExistsW,PathFileExistsW,DeleteFileW,PathFileExistsW,?get_log_instance@base@@YAPAVILogge

6_2_004660C6

Source: C:\Program Files (x86)\Common Files\wegame.exe

6_2_0045B61D

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Code function: 5_2_0042C3DA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

5_2_0042C3DA

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BD5217 mov eax, dword ptr fs:[00000030h]		3_2_00BD5217
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCEDE2 mov eax, dword ptr fs:[00000030h]		3_2_00BCEDE2

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Code function: 3_2_00BD605E GetProcessHeap,

3_2_00BD605E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"

Jump to behavior

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BCDAD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00BCDAD2
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC8A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00BC8A28
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC8E32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00BC8E32
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: 3_2_00BC8FC5 SetUnhandledExceptionFilter,	3_2_00BC8FC5
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00420004 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00420004
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00420965 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00420965
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00426DF8 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00426DF8
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 5_2_00423ED8 SetUnhandledExceptionFilter,	5_2_00423ED8
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0046823B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0046823B
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00468F3B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00468F3B
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0046909D SetUnhandledExceptionFilter,	6_2_0046909D
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C576C97 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C576C97
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C502171 SetUnhandledExceptionFilter,	6_2_6C502171
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_6C575E82 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6C575E82
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00420004 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00420004
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00420965 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00420965
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00426DF8 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00426DF8
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: 10_2_00423ED8 SetUnhandledExceptionFilter,	10_2_00423ED8

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"

Executes Lua script

Source: C:\Windows\System32\msiexec.exe

File Created: C:\Program Files (x86)\Common Files\Lua51.dll

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Process created: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Process created: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: LetsPRO.exe, 00000037.00000002.4201314539.0000000037A82000.00000002.00000001.01000000.00000033.sdmp	Binary or memory string: Shell_TrayWnd
Source: LetsPRO.exe, 00000037.00000002.4268427872.000000006852B000.00000002.00000001.01000000.00000024.sdmp	Binary or memory string: AddFontResourceWAdjustWindowRectAlready ReportedAssocIsDangerousAuditSetSecurityBITMAPINFOHEADERBringWindowToTopCRYPT_OBJID_BLOBCertControlStoreCheckRadioButtonCloseEnhMetaFileCoCreateInstanceCoGetCallContextCoGetInterceptorCoMarshalHresultCoTaskMemReallocCombineTransformConnectNamedPipeContent-EncodingContent-LanguageContent-Length: CopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateHatchBrushCreateIpNetEntryCreateJobObjectWCreateMDIWindowWCreateNamedPipeWCreatePolygonRgnCreateSemaphoreWCreateSolidBrushCreateTimerQueueCryptDestroyHashCryptExportPKCS8CryptGetKeyParamCryptMsgGetParamCryptProtectDataCryptQueryObjectCryptSetKeyParamDAD_SetDragImageDPA_EnumCallbackDdeQueryConvInfoDdeSetUserHandleDeactivateActCtxDefMDIChildProcWDefineDosDeviceWDeleteColorSpaceDeleteIpNetEntryDeleteTimerQueueDestination-PortDispatchMessageWDnsNameCompare_WDrawCaptionTempWDrawFrameControlDuplicateTokenExEndBufferedPaintEngCreatePaletteEngDeletePaletteEngDeleteSurfaceEngGetDriverNameEngStretchBltROPEngUnlockSurfaceEnumChildWindowsEnumICMProfilesWExcludeUpdateRgnExtSelectClipRgnFONTOBJ_vGetInfoFRAME_SIZE_ERRORFindFirstFreeAceFindFirstVolumeWFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GdiGetBatchLimitGdiIsMetaPrintDCGdiSetBatchLimitGetAsyncKeyStateGetBestInterfaceGetCalendarInfoWGetClassLongPtrWGetClipboardDataGetComputerNameWGetConsoleAliasWGetConsoleTitleWGetConsoleWindowGetCurrentActCtxGetCurrentObjectGetCurrentThreadGetDIBColorTableGetDesktopWindowGetDllDirectoryWGetExpandedNameWGetFileSecurityWGetFullPathNameWGetGUIThreadInfoGetGestureConfigGetGlyphIndicesWGetGlyphOutlineWGetInterfaceInfoGetIpErrorStringGetKerningPairsWGetKeyboardStateGetLastInputInfoGetLogicalDrivesGetLongPathNameWGetMenuItemCountGetMenuItemInfoWGetMenuPosFromIDGetModuleHandleWGetNamedPipeInfoGetNetworkParamsGetOpenFileNameWGetPriorityClassGetProgmanWindowGetSaveFileNameWGetScrollBarInfoGetStringScriptsGetSysColorBrushGetSystemMetricsGetTaskmanWindowGetTcpStatisticsGetTempFileNameWGetThemeFilenameGetThemePartSizeGetThemePositionGetThemeSysColorGetThreadDesktopGetUdpStatisticsGetViewportExtExGetViewportOrgExGlobalDeleteAtomHANIMATIONBUFFERHost-Remote-ListIConnectionPointICreateErrorInfoILLoadFromStreamINTERFACE_HANDLEIOleAdviseHolderIOleInPlaceFrameIP_PREFIX_ORIGINIP_SUFFIX_ORIGINIPropertyStorageIUnknown_GetSiteIUnknown_SetSiteI_CryptDetachTlsI_RpcSendReceiveIcmpParseRepliesImageList_CreateImageList_DrawExImageList_RemoveImmConfigureIMEWImmCreateContextImmGetGuideLineWImmGetOpenStatusImmGetVirtualKeyImmRegisterWordWImmSetOpenStatusImperial_AramaicInitializeFlatSBInstRuneAnyNotNLInterfaceRemovedIntlStrEqWorkerWIpReleaseAddressIsBadHugeReadPtrIsDBCSLeadByteExIsDialogMessageWIsTokenUntrustedIsValidInterfaceJasonMarshalFailK32EnumProcessesLCIDToLocaleNameLPFNVIEWCALLBACKLPPERSISTSTORAGELPPRINTPAGERANGELPSHELLFLAGSTATELPSHFILEOPSTRUCTLPWPUPOSTMESSAGELPWSANSCLASSINFOLocalLinkAddressLocaleNameToLCIDLockWindowUpdateMIB_IPADDRROW_XPMIB_IPFORWARDROWMapVirtualKeyExWMeroitic_CursiveMonitorF

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Code function: 3_2_00BC8C8B cpuid

3_2_00BC8C8B

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: EnumSystemLocalesW,	3_2_00BD8096
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: EnumSystemLocalesW,	3_2_00BD808C
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: EnumSystemLocalesW,	3_2_00BD80E1
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: GetLocaleInfoW,	3_2_00BD219D
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: EnumSystemLocalesW,	3_2_00BD817C
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00BD8207
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: EnumSystemLocalesW,	3_2_00BD1CFD
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: GetLocaleInfoW,	3_2_00BD845C
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00BD8584
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: GetLocaleInfoW,	3_2_00BD868C
Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00BD875F
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: _wcscpy_s,GetLocaleInfoW,__snprintf_s,LoadLibraryW,	5_2_004058F3
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: GetLocaleInfoA,	5_2_0043200D
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	5_2_00433AF1
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	5_2_00433AFF
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: _wcscpy_s,GetLocaleInfoW,__snprintf_s,LoadLibraryW,	10_2_004058F3
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: GetLocaleInfoA,	10_2_0043200D
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	10_2_00433AF1
Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	10_2_00433AFF

Source: C:\Program Files (x86)\Common Files\wegame.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\haxGhXjmBFM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Queries volume information: C:\Program Files (x86)\letsvpn\driver\tap0901.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{7fc39624-296a-4042-b309-10cc640cfd85}\tap0901.cat VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\Utils.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\log4net.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\CommunityToolkit.Mvvm.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Memory.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Buffers.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNInfraStructure.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.nativelibrary.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\Hardcodet.Wpf.TaskbarNotification.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\WebSocket4Net.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\SQLite-net.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Http.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation

Source: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Code function: 3_2_00BC9087 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00BC9087

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Code function: 5_2_0042A39B __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

5_2_0042A39B

Source: C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPRO.exe

Code function: 5_2_00405B0B __EH_prolog3,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,GetModuleFileNameW,GetVersion,RegOpenKeyExW,RegQueryValueExW,_sscanf,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,RegCloseKey,GetModuleHandleW,EnumResourceLanguagesW,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,_memset,

5_2_00405B0B

Source: C:\Program Files (x86)\Common Files\wegame.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Program Files (x86)\haxGhXjmBFM.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets

Source: C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D Blob

Stealing of Sensitive Information

Modifies the DNS server

Source: C:\Windows\System32\svchost.exe

Registry value created:

Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0045D537 __EH_prolog3_catch_GS,?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_client_id@util_client_info@ierd_tgp@@YAHXZ,?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z,?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z,	6_2_0045D537
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_004462AA ?to_json@jsonbind@@YAHPAXAAVValue@Json@@@Z,	6_2_004462AA
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_0045D63F ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_client_id@util_client_info@ierd_tgp@@YAHXZ,?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z,?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z,	6_2_0045D63F
Source: C:\Program Files (x86)\Common Files\wegame.exe	Code function: 6_2_00445DFD ?from_json@jsonbind@@YAHPAXABVValue@Json@@@Z,	6_2_00445DFD

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	331 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	221 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	3 Windows Service	1 Access Token Manipulation	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	111 Registry Run Keys / Startup Folder	3 Windows Service	1 Software Packing	NTDS	178 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	112 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	111 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	471 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	371 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	42 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	371 Virtualization/Sandbox Evasion	Network Sniffing	11 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	112 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Bootkit	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\LetsPROCHS.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Lua51.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\adapt_for_imports.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\beacon_sdk.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\common.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\wegame.exe	0%	ReversingLabs
C:\Program Files (x86)\haxGhXjmBFM.exe	0%	ReversingLabs
C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe	0%	ReversingLabs
C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\msvcp100.dll	0%	ReversingLabs
C:\Program Files (x86)\haxGhXjmBFM\app-3.8.0\msvcr100.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\LetsPRO.exe	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\Update.exe	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\CommunityToolkit.Mvvm.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.MsDelta.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.PatchApi.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\FontAwesome.WPF.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Hardcodet.Wpf.TaskbarNotification.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\ICSharpCode.AvalonEdit.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe	3%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNInfraStructure.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\MdXaml.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Analytics.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Crashes.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Bcl.AsyncInterfaces.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Expression.Interactions.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.WinForms.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Wpf.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Primitives.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.AccessControl.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.SystemEvents.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Mdb.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Pdb.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Rocks.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\NuGet.Squirrel.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLite-net.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensions.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensionsAsync.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.batteries_v2.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.core.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.nativelibrary.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.provider.dynamic_cdecl.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SharpCompress.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\Squirrel.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\System.AppContext.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.8.0\System.Buffers.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	URL Reputation	safe
https://aka.ms/toolkit/dotnet	0%	Avira URL Cloud	safe
https://letsvpn.world/registerterm.html	0%	Avira URL Cloud	safe
http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a-s-f	0%	Avira URL Cloud	safe
https://postPost223.61.70.52	0%	Avira URL Cloud	safe
http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a	0%	Avira URL Cloud	safe
https://nit.crash1ytics.com/app33/devicechecking	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Avira URL Cloud	safe
https://pngimg.com/uploads/light/light_PNG14440.png	0%	Avira URL Cloud	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	Avira URL Cloud	safe
http://www.hardcodet.net/taskbar	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ	0%	Avira URL Cloud	safe
https://rdrt.jkjtdfbs.com/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid	0%	Avira URL Cloud	safe
https://in.appcenter.ms./logs?api-version=1.0.0	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/collections/Killer	0%	Avira URL Cloud	safe
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	0%	Avira URL Cloud	safe
http://schemas.fontawesome.io/icons/	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6	0%	Avira URL Cloud	safe
http://wpfanimatedgif.codeplex.com	0%	Avira URL Cloud	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	Avira URL Cloud	safe
https://nit.crash1ytics.com/app33/devicehttps://nit.crash1ytics.com/app33/deviceHu	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicCo	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.5	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	Avira URL Cloud	safe
https://github.com/CommunityToolkit/dotnet	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	0%	Avira URL Cloud	safe
http://www.dnie.es/dpc0	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn	0%	Avira URL Cloud	safe
https://nit.crash1ytics.com-	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9	0%	Avira URL Cloud	safe
https://0.0.0.0%2F0	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/collections/1628560-help-documents	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	0%	Avira URL Cloud	safe
https://nit.crash1ytics.comhttpCode=-2	0%	Avira URL Cloud	safe
https://letsvpn.world/terms.html	0%	Avira URL Cloud	safe
http://www.firmaprofesional.com/cps0	0%	Avira URL Cloud	safe
https://nit.crash1ytics.com/app33/devicehttps://nit.crash1ytics.com/app33/device	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/-N	0%	Avira URL Cloud	safe
https://letsvpn.world/privacy.html	0%	Avira URL Cloud	safe
https://in.appcenter.ms/logs?api-version=1.0.0	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV2	0%	Avira URL Cloud	safe
https://widget.intercom.io/widget/	0%	Avira URL Cloud	safe
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windo	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1	0%	Avira URL Cloud	safe
https://nit.crash1ytics.com/app33/device	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	0%	Avira URL Cloud	safe
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/3401886-special-settings-for-smartby	0%	Avira URL Cloud	safe
http://tqos.wegamex.com.hk/	0%	Avira URL Cloud	safe
https://github.com/JamesNK/Newtonsoft.Json	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	0%	Avira URL Cloud	safe
https://nit.crash1ytics.com	0%	Avira URL Cloud	safe
http://ocsp.sectig	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1	0%	Avira URL Cloud	safe
https://USUS2.Session-IdCERTIFICATE	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0	0%	Avira URL Cloud	safe
https://clients2.googleusercontent.com/crx/blobs/Af2yII2B0rZ8cHZ0zhAQMpE5nnHa-luPaKnkV2HzRYHJSUKQp47BzdeiX0Igp7uG9ixLd9f-dn93AlqvBwPDqfl_F5H1vnj2K-nXA2wr_RToPGmP3S9lmWq3G-LCKHiOc8oAxlKa5TcGVwrsFgTq79yNDjEULjiD5Cwy/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_79_1_0.crx	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-api	0%	Avira URL Cloud	safe
http://pki.digidentity.eu/validatie0	0%	Avira URL Cloud	safe
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262801-special-settings-for-killer-	0%	Avira URL Cloud	safe
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262720-special-settings-for-host-ne	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/3710603-about-logging-in-out-anomalies	0%	Avira URL Cloud	safe
http://crl.m	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	Avira URL Cloud	safe
https://in.appcenter.ms	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicC4t	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	unknown
d1dmgcawtbm6l9.cloudfront.net	3.164.160.102	true	false	unknown
sni1gl.wpc.nucdn.net	152.199.21.175	true	false	unknown
ied-tqos.wegamex.com.hk	103.7.30.61	true	false	unknown
nal.fqoqehwib.com	104.112.172.245	true	false	unknown
www.wshifen.com	103.235.46.96	true	false	unknown
socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com	54.169.168.67	true	false	unknown
www.google.com	142.250.186.164	true	false	unknown
nit.crash1ytics.com	142.242.204.31	true	false	unknown
yandex.com	77.88.55.88	true	false	unknown
tqos.wegamex.com.hk	103.7.30.83	true	false	unknown
googlehosted.l.googleusercontent.com	142.250.186.129	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
chr.alipayassets.com	85.222.79.57	true	false	unknown
in.appcenter.ms	unknown	unknown	false	unknown
ws-ap1.pusher.com	unknown	unknown	false	unknown
www.baidu.com	unknown	unknown	false	unknown
clients2.googleusercontent.com	unknown	unknown	false	unknown
www.yandex.com	unknown	unknown	false	unknown
crt.sectigo.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	false	Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1	false	Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1	false	Avira URL Cloud: safe	unknown
http://tqos.wegamex.com.hk/	false	Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1	false	Avira URL Cloud: safe	unknown
https://clients2.googleusercontent.com/crx/blobs/Af2yII2B0rZ8cHZ0zhAQMpE5nnHa-luPaKnkV2HzRYHJSUKQp47BzdeiX0Igp7uG9ixLd9f-dn93AlqvBwPDqfl_F5H1vnj2K-nXA2wr_RToPGmP3S9lmWq3G-LCKHiOc8oAxlKa5TcGVwrsFgTq79yNDjEULjiD5Cwy/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_79_1_0.crx	false	Avira URL Cloud: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://pngimg.com/uploads/light/light_PNG14440.png	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/toolkit/dotnet	LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp	false	Avira URL Cloud: safe	unknown
http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a-s-f	wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	LetsPRO.exe, 00000037.00000002.4163447409.0000000005D52000.00000002.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 0000000E.00000003.1727303694.00000177F8D23000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D87000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D74000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1727303694.00000177F8D68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a	wegame.exe, wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://letsvpn.world/registerterm.html	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com/app33/devicechecking	LetsPRO.exe, 00000037.00000002.4172640122.000000000FC86000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://postPost223.61.70.52	LetsPRO.exe, 00000037.00000002.4177372856.000000000FF72000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000000E.00000003.1727303694.00000177F8CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hardcodet.net/taskbar	LetsPRO.exe, 00000037.00000002.4201314539.0000000037A82000.00000002.00000001.01000000.00000033.sdmp, LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid	LetsPRO.exe, 00000037.00000002.4268427872.000000006852B000.00000002.00000001.01000000.00000024.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000C.00000002.1728755337.00000000047A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1728755337.0000000004799000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1893721239.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rdrt.jkjtdfbs.com/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000018.00000002.1898978574.0000000005C86000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://intercom.help/letsvpn-world/en/collections/Killer	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.fontawesome.io/icons/	LetsPRO.exe, 00000037.00000002.4143541172.0000000003371000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://in.appcenter.ms./logs?api-version=1.0.0	LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.1728755337.000000000476C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1893721239.0000000004C11000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4143541172.0000000003371000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wpfanimatedgif.codeplex.com	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com/app33/devicehttps://nit.crash1ytics.com/app33/deviceHu	LetsPRO.exe, 00000037.00000002.4172640122.000000000FC86000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCo	LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.2.5	wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo	LetsPRO.exe, 00000037.00000002.4171712622.000000000FC22000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD44000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000018.00000002.1893721239.0000000004D66000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034AB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/CommunityToolkit/dotnet	LetsPRO.exe, 00000037.00000002.4167809675.0000000006742000.00000002.00000001.01000000.0000001E.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	LetsPRO.exe, 00000037.00000002.4168359295.00000000067F2000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dnie.es/dpc0	LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 0000000E.00000002.4142093238.00000177F8E00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	haxGhXjmBFM.exe, 00000008.00000002.2032480091.000000000040A000.00000004.00000001.01000000.00000006.sdmp, haxGhXjmBFM.exe, 00000008.00000003.1973465998.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, haxGhXjmBFM.exe, 00000008.00000000.1717959233.000000000040A000.00000008.00000001.01000000.00000006.sdmp, haxGhXjmBFM.exe.1.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000018.00000002.1893014368.0000000002F54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1905703178.00000000073F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com-	LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000018.00000002.1893721239.0000000004D66000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	false	URL Reputation: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	LetsPRO.exe, 00000037.00000002.4168398162.00000000067F6000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/collections/1628560-help-documents	LetsPRO.exe, 00000037.00000002.4143541172.0000000003371000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.comhttpCode=-2	LetsPRO.exe, 00000037.00000002.4176710420.000000000FF1B000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://0.0.0.0%2F0	LetsPRO.exe, 00000037.00000002.4172640122.000000000FC92000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://letsvpn.world/terms.html	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com/app33/devicehttps://nit.crash1ytics.com/app33/device	LetsPRO.exe, 00000037.00000002.4177372856.000000000FF72000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/-N	haxGhXjmBFM.exe, 00000008.00000002.2033229713.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	wegame.exe, wegame.exe, 00000006.00000002.4142318714.000000006C825000.00000002.00000001.01000000.00000008.sdmp, wegame.exe, 00000006.00000003.1736539346.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://letsvpn.world/privacy.html	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	wegame.exe, 00000006.00000002.4143954280.000000006CECB000.00000002.00000001.01000000.0000000C.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://in.appcenter.ms/logs?api-version=1.0.0	LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://widget.intercom.io/widget/	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windo	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nit.crash1ytics.com/app33/device	LetsPRO.exe, 00000037.00000002.4175179086.000000000FD84000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	LetsPRO.exe, 00000037.00000002.4168580863.0000000006E72000.00000002.00000001.01000000.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json	LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000018.00000002.1898978574.0000000005C86000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4153902708.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/3401886-special-settings-for-smartby	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	LetsPRO.exe, 00000037.00000002.4168580863.0000000006E72000.00000002.00000001.01000000.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectig	LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com	LetsPRO.exe, 00000037.00000002.4173917688.000000000FD0C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://USUS2.Session-IdCERTIFICATE	LetsPRO.exe, 00000037.00000002.4173822346.000000000FD00000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4177372856.000000000FF72000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4177807037.000000000FFB2000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4176380888.000000000FEAA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0	LetsPRO.exe, 00000037.00000002.4187562856.0000000034B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-api	LetsPRO.exe, 00000037.00000002.4171712622.000000000FC22000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4173917688.000000000FD44000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.digidentity.eu/validatie0	LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262801-special-settings-for-killer-	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	false	URL Reputation: safe	unknown
https://d3jb1hiazbhf2r.cloudfront.net/letsvpn-world/en/articles/8262720-special-settings-for-host-ne	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.m	LetsPRO.exe, 00000037.00000002.4183661580.0000000030CEF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/3710603-about-logging-in-out-anomalies	LetsPRO.exe, 00000037.00000000.2030391391.0000000000E62000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	LetsPRO.exe, 00000037.00000002.4142762410.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4180752320.00000000309B5000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4187562856.0000000034BA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 0000000E.00000003.1727303694.00000177F8D42000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://in.appcenter.ms	LetsPRO.exe, 00000037.00000002.4143541172.0000000003648000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.4179081431.0000000030452000.00000002.00000001.01000000.00000027.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	LetsPRO.exe, 00000037.00000002.4194258639.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	wegame.exe, 00000006.00000002.4137406249.0000000000476000.00000002.00000001.01000000.00000004.sdmp, wegame.exe, 00000006.00000000.1716127775.0000000000476000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	LetsPRO.exe, 00000037.00000002.4164213776.0000000006032000.00000002.00000001.01000000.0000001D.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicC4t	LetsPRO.exe, 00000037.00000002.4166122797.0000000006193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
183.60.146.66	unknown	China	134763	CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN	false
103.7.30.61	ied-tqos.wegamex.com.hk	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
103.7.30.83	tqos.wegamex.com.hk	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
35.227.223.56	unknown	United States	15169	GOOGLEUS	false
108.138.24.13	unknown	United States	16509	AMAZON-02US	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
103.235.46.96	www.wshifen.com	Hong Kong	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.98.101.155	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
3.164.160.102	d1dmgcawtbm6l9.cloudfront.net	United States	16509	AMAZON-02US	false
142.251.35.170	unknown	United States	15169	GOOGLEUS	false
142.250.186.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
77.88.55.88	yandex.com	Russian Federation	13238	YANDEXRU	false
54.169.168.67	socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1476283
Start date and time:	2024-07-18 22:56:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	65
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lets-test.msi
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winMSI@118/595@27/19
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 192 Number of non-executed functions: 216
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 142.250.186.78, 204.79.197.239, 13.107.21.239, 184.28.90.27, 104.18.38.233, 172.64.149.23, 2.23.209.140, 2.23.209.130, 2.23.209.187, 2.23.209.182, 2.23.209.133, 2.23.209.179, 2.23.209.149, 2.23.209.189, 20.57.103.21, 4.152.45.219, 152.199.19.161, 4.153.25.42, 142.250.80.67, 142.250.65.163, 142.251.32.99, 142.250.176.195
Excluded domains from analysis (whitelisted): wildcardtlu.azureedge.net, cdp-f-ssl-tlu-net.trafficmanager.net, crt.comodoca.com.cdn.cloudflare.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, in2-gw2-03-3d6c3051.eastus2.cloudapp.azure.com, edgeassetservice.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, prod.fs.microsoft.com.akadns.net, wildcardtlu.ec.azureedge.net, config.edge.skype.com, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, cdp-f-tlu-net.trafficmanager.net, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, in1-gw2-01-3d6c3051.eastus2.cloudapp.azure.com, wildcar
Execution Graph export aborted for target powershell.exe, PID 7968 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: lets-test.msi

Simulations

Behavior and APIs

Time	Type	Description
16:57:10	API Interceptor	2x Sleep call for process: svchost.exe modified
16:57:24	API Interceptor	16x Sleep call for process: powershell.exe modified
16:57:42	API Interceptor	6556509x Sleep call for process: LetsPRO.exe modified
16:59:20	API Interceptor	3331x Sleep call for process: wegame.exe modified
21:57:09	Task Scheduler	Run new task: haxGhXjmBFM path: C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe
21:57:09	Task Scheduler	Run new task: pdRbyqJqGUY path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe s>--no-startup-window --win-session-start
21:57:09	Task Scheduler	Run new task: tRyVurwmBkV path: C:\Program Files (x86)\Common Files\wegame.exe
21:57:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
21:57:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
21:57:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LetsPRO "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe" /silent
21:57:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LetsPRO "C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe" /silent

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
183.60.146.66	zx.exe	Get hash	malicious	Unknown	Browse
	zx.exe	Get hash	malicious	Unknown	Browse
	zx.exe	Get hash	malicious	Unknown	Browse
	zx.exe	Get hash	malicious	Unknown	Browse
	zx.exe	Get hash	malicious	Unknown	Browse
	zx.exe	Get hash	malicious	Unknown	Browse
103.7.30.61	setup#U67e5#U8be2_pf2024.exe	Get hash	malicious	GhostRat, Nitol	Browse
103.7.30.83	setup#U67e5#U8be2_pf2024.exe	Get hash	malicious	GhostRat, Nitol	Browse
108.138.24.13	zx.exe	Get hash	malicious	Unknown	Browse
152.195.19.97	http://ustteam.com/	Get hash	malicious	Unknown	Browse	www.ust.com/
103.235.46.96	6o63snaetO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	http://metamask-zhwallet.org/	Get hash	malicious	Unknown	Browse	www.baidu.com/img/flexible/logo/plus_logo_web_2.png
	Tas10.dll	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Tas8.dll	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Tas8_WL.dll	Get hash	malicious	BlackMoon	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ied-tqos.wegamex.com.hk	setup#U67e5#U8be2_pf2024.exe	Get hash	malicious	GhostRat, Nitol	Browse	103.7.30.61
chrome.cloudflare-dns.com	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse	172.64.41.3
	https://app.pandadoc.com/document/01fc0506672a338844b1e0a33f8f8c691e8b5536	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecuriteInfo.com.decompression.bomb.9781.1949.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	MicrosoftInst.exe	Get hash	malicious	GhostRat	Browse	162.159.61.3
	cc00980_.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	ziprar.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	PEDIDO DE COMPRA URGENTEs#U034fx#U034fl#U034fx#U034f..exe	Get hash	malicious	FormBook	Browse	172.64.41.3
	https://ury.io/aVPeBa	Get hash	malicious	Unknown	Browse	172.64.41.3
	CC-CREDIT CARD-itineraries.exe	Get hash	malicious	FormBook	Browse	162.159.61.3
	bt2eTjYGOb.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
d1dmgcawtbm6l9.cloudfront.net	zx.exe	Get hash	malicious	Unknown	Browse	18.239.15.216
	zx.exe	Get hash	malicious	Unknown	Browse	3.164.160.24
	zx.exe	Get hash	malicious	Unknown	Browse	108.138.24.13
	zx.exe	Get hash	malicious	Unknown	Browse	108.138.24.227
	zx.exe	Get hash	malicious	Unknown	Browse	18.154.80.50
	zx.exe	Get hash	malicious	Unknown	Browse	18.239.15.44
sni1gl.wpc.nucdn.net	https://app.pandadoc.com/document/01fc0506672a338844b1e0a33f8f8c691e8b5536	Get hash	malicious	Unknown	Browse	152.199.21.175
	ziprar.exe	Get hash	malicious	Unknown	Browse	152.199.21.175
	PEDIDO DE COMPRA URGENTEs#U034fx#U034fl#U034fx#U034f..exe	Get hash	malicious	FormBook	Browse	152.199.21.175
	df.exe	Get hash	malicious	Unknown	Browse	152.195.19.97
	CC-CREDIT CARD-itineraries.exe	Get hash	malicious	FormBook	Browse	152.199.21.175
	s6ue6dcFAI.exe	Get hash	malicious	Babadeda	Browse	152.199.21.175
	LJERbwcloq.exe	Get hash	malicious	Babadeda	Browse	152.199.21.175
	LJERbwcloq.exe	Get hash	malicious	Babadeda	Browse	152.199.21.175
	z46Ordendecompraurgente___s__x__l__x___.exe	Get hash	malicious	Coinhive, FormBook, Xmrig	Browse	152.199.21.175
	#U7a3d#U67e5#U4f01#U4e1a#U540d#U5355#U518c-#U7ec8#U7aef.exe	Get hash	malicious	Unknown	Browse	152.199.21.175
nal.fqoqehwib.com	zx.exe	Get hash	malicious	Unknown	Browse	33.86.72.19
	zx.exe	Get hash	malicious	Unknown	Browse	99.34.124.121
	zx.exe	Get hash	malicious	Unknown	Browse	99.34.124.121
	zx.exe	Get hash	malicious	Unknown	Browse	99.34.124.121
	zx.exe	Get hash	malicious	Unknown	Browse	104.112.172.245
	zx.exe	Get hash	malicious	Unknown	Browse	10.176.38.125

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Meredith Machinery LLC Meredith PR LLC.msg	Get hash	malicious	Unknown	Browse	13.32.110.123
	https://ctfoodshare.org	Get hash	malicious	HTMLPhisher	Browse	52.33.181.156
	http://site.foodshare.org/site/DocServer	Get hash	malicious	HTMLPhisher	Browse	18.244.28.54
	https://email.email.pandadoc.net/c/eJxUz81qGzEQwPGnWd3W6Gsl7UEHF7MJSVtoUmicSxmNRraId7VV5KbJ0xcf0o_b8GcGfhN9MCokx2LB80xL-56jv4b6tt-eQ9gHmNRH_XjnHtWOkRdWCqW40IIdvVCGSxuVMoNRWgHymJxGsA6dS0Kw7CWXmlvhxCgGLTYowpiElgovMfFOc5ohnzYrLBFiwc1CjZ38sbX1uVPbTk6dnGBd_y5gmTs5vWM7OVEwpIU1NMaEIJV0hEmD4BSJj0nbEawka9hSWk4ZoeWyXJ4EF5KlIfUBU-x1pNi7IYVeq0DGWFQiRVbqAZb89ufo5nD1mj5_ife742173f0Y7j_MtGXVx0ovGyzlaYal0_xAp9zgomXNv2v_GfsG9UD_lUpzXiLVvpUey7yeqBH76SV7KfXpeQWkCyCpr7el6PNx--nqpn77dXf9sMeH3wEAAP__TvmT1g	Get hash	malicious	Unknown	Browse	35.163.144.222
	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse	52.27.94.100
	file.exe	Get hash	malicious	Unknown	Browse	3.165.136.111
	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse	143.204.205.88
	jklarm	Get hash	malicious	Unknown	Browse	44.231.219.156
	https://t.infomail.microsoft.com/r/?id=h707ecfa5,69ca6c1c,69ccacb0&e=b2NpZD1jbW1hbmlleDN4Mg&s=TT2m-Y1733ga9dYQbmzwO7CS0-MhXWa3NfkkfpZX75E	Get hash	malicious	Unknown	Browse	18.200.174.228
	https://a.kerika.com/acc_39TXETMEnauTtVtsNzbfFJ/c/brd_4nvvo2ooyq8HxjaMzCxzZb/cnvs_BfJOZ	Get hash	malicious	Tycoon2FA	Browse	52.219.95.2
CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN	zx.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	zx.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	zx.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	zx.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	y7cm9CKSN9.elf	Get hash	malicious	Mirai	Browse	42.157.152.230
	zx.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	zx.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	jew.x86.elf	Get hash	malicious	Unknown	Browse	42.157.129.7
	http://www.bitdefenderlogin.com/	Get hash	malicious	Unknown	Browse	183.61.243.1
	SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exe	Get hash	malicious	Unknown	Browse	183.61.243.1
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	https://www.cognitoforms.com/EngendaGroupLimited/EngendaGroupLimited	Get hash	malicious	HTMLPhisher	Browse	49.51.78.226
	Fatura20240617.exe	Get hash	malicious	FormBook	Browse	124.156.166.165
	NEW RFQ - Viasat LSDR.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	124.156.237.71
	REV-New Order 20240717.pif.exe	Get hash	malicious	Remcos	Browse	170.106.47.94
	yHIoCL9LQV.elf	Get hash	malicious	Mirai	Browse	170.106.89.57
	http://whats-lic.com/	Get hash	malicious	Unknown	Browse	129.226.81.93
	https://acrobat.adobe.com/id/urn:aaid:sc:eu:ee698a8c-0f5f-4d49-8e57-941bebba7ea3	Get hash	malicious	HTMLPhisher	Browse	162.62.150.176
	https://ado4784be78498pdf.standard.us-east-1.oortech.com/INV367387COPY.shtml	Get hash	malicious	HTMLPhisher	Browse	170.106.47.94
	http://43.249.172.195:888/112s	Get hash	malicious	Unknown	Browse	203.205.254.157
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	170.106.76.24
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	https://www.cognitoforms.com/EngendaGroupLimited/EngendaGroupLimited	Get hash	malicious	HTMLPhisher	Browse	49.51.78.226
	Fatura20240617.exe	Get hash	malicious	FormBook	Browse	124.156.166.165
	NEW RFQ - Viasat LSDR.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	124.156.237.71
	REV-New Order 20240717.pif.exe	Get hash	malicious	Remcos	Browse	170.106.47.94
	yHIoCL9LQV.elf	Get hash	malicious	Mirai	Browse	170.106.89.57
	http://whats-lic.com/	Get hash	malicious	Unknown	Browse	129.226.81.93
	https://acrobat.adobe.com/id/urn:aaid:sc:eu:ee698a8c-0f5f-4d49-8e57-941bebba7ea3	Get hash	malicious	HTMLPhisher	Browse	162.62.150.176
	https://ado4784be78498pdf.standard.us-east-1.oortech.com/INV367387COPY.shtml	Get hash	malicious	HTMLPhisher	Browse	170.106.47.94
	http://43.249.172.195:888/112s	Get hash	malicious	Unknown	Browse	203.205.254.157
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	170.106.76.24

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Common Files\adapt_for_imports.dll	sutup-Chrome.13.26.x64.msi	Get hash	malicious	BlackMoon	Browse
C:\Program Files (x86)\Common Files\Lua51.dll	sutup-Chrome.13.26.x64.msi	Get hash	malicious	BlackMoon	Browse
C:\Program Files (x86)\Common Files\beacon_sdk.dll	sutup-Chrome.13.26.x64.msi	Get hash	malicious	BlackMoon	Browse
C:\Program Files (x86)\Common Files\common.dll	sutup-Chrome.13.26.x64.msi	Get hash	malicious	BlackMoon	Browse

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	665482
Entropy (8bit):	6.537040712088255
Encrypted:	false
SSDEEP:	12288:oPJHi1yIMG5OraPJHi1yIMG5OrKPJHi1yIMG5Ork:yHit95CcHit95CsHit95Ck
MD5:	338B748B61069B5105A5F3AB1473E559
SHA1:	6FF2485ADDA3E218C54E36EE0B0109D002B7934D
SHA-256:	1B097D468BDFC8B280A2E2464247293F496683D6D582CDBCA6B542AC39247C58
SHA-512:	21CEF317CF0B5FBBF55A5937DAA765E96B80D5061E04183C8D9C1C7C157232BA4DD6D0AB87F8E34A0AEC658B26B03770DBB4525CDB1AAD5D0DEE48D26B9391A0
Malicious:	false
Preview:	...@IXOS.@.....@$..X.@.....@.....@.....@.....@.....@......&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}..1etsvpn..lets-test.msi.@.....@.....@.....@........&.{D5081896-4C2D-4C53-BFE1-6025F1920CD2}.....@.....@.....@.....@.......@.....@.....@.......@......1etsvpn......Rollback..ck(W.V...d\O:...[1]..RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Q..&.{595B7CE7-E971-4D65-AA8A-F0476F19E124}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.{92C80294-11B4-4FF7-9FC6-3CFF2DDD4C89}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.{CCF87755-7111-436F-BC7B-EF0479ACBAA4}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.{1B0C81AF-0EF7-485A-9CC5-EE499F9FFDE6}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.{0DE0322F-6139-4956-87EC-E84A0167D325}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.{FD51F2A8-9CC5-437F-8365-091692735C74}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.{EAD2CF5C-FD05-4FAE-A506-A111996F29BB}&.{5FD627E3-9BD5-491C-92C5-2934CD5F1E11}.@......&.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3325402160406286
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5Q:KooCEYhgYEL0In
MD5:	3FDAA51122CB2BE87DAD53317FE1DCF6
SHA1:	AE5CA4B0A50AA3A6A7250307EFBE458364C2F6A4
SHA-256:	E7F78CDC0049D1896E536361B564CAD7E21A4ADAF050B533A2153F229E4D46ED
SHA-512:	C4036DCCA8344E69F0E962299C0BB112A6712784ECB8D9BB3E578247A9A00D8F9F495364616C25701DF0ACFE15E670BD43043A739A0B9E7C53137D43B4A87830
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8251
Entropy (8bit):	5.802979417543562
Encrypted:	false
SSDEEP:	192:fsNARKBeiRUarZQ3kiFY6qRAq1k8SPxVLZ7VTiB:fsNAgRHm0ia6q3QxVNZTiB
MD5:	F7B76A9B5A0C15219B5216B0EADD211F
SHA1:	9DFB54D06016CA5B092F5F1835456D34BF73A181
SHA-256:	D2989AD41FC4EA566389E0815F33CEE8B27328CAF85A27105A063B1EF4BD8ACA
SHA-512:	E6564B183EAF65E958E433E67D30FA6EE3FE64611B1B6F745326671902AA552031D0795D0F0FDC04772D94D001E59D84AC67B06DFE1FE5C145EDD6E72F5775F0
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Ve

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2240
Entropy (8bit):	5.363430800301509
Encrypted:	false
SSDEEP:	48:bWSU4xympjgZ9tz4RIoUl8NPP8l7u1iMuge//Zf0UyuE:bLHxvCZfIfSKHOOugo1E
MD5:	51DA01CAEB4BB0BB4796834DDEABA7C7
SHA1:	979661C15FECA9259A6CE69BA2546A213F6951AD
SHA-256:	EDE568A477E17C902A9D29031B0DF241067A2D7F9BF69D225E9229B672F54FEC
SHA-512:	29DC7F57D2AF0CC16609CE754224D36293A36546CF7897CB484C91AB694550CF4BB2711D904AA58E223B4C75BAFD45FCE4967352D60CE8C4E3E3B5429E7E976A
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.063558190257152
Encrypted:	false
SSDEEP:	192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
MD5:	26009F092BA352C1A64322268B47E0E3
SHA1:	E1B2220CD8DCAEF6F7411A527705BD90A5922099
SHA-256:	150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
SHA-512:	C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
Malicious:	false
Preview:	; ***************************************************************************..; Copyright (C) 2002-2014 OpenVPN Technologies, Inc. ..; This program is free software; you can redistribute it and/or modify ..; it under the terms of the GNU General Public License version 2 ..; as published by the Free Software Foundation. ..; *************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*******************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.063558190257152
Encrypted:	false
SSDEEP:	192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
MD5:	26009F092BA352C1A64322268B47E0E3
SHA1:	E1B2220CD8DCAEF6F7411A527705BD90A5922099
SHA-256:	150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
SHA-512:	C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
Malicious:	false
Preview:	; ***************************************************************************..; Copyright (C) 2002-2014 OpenVPN Technologies, Inc. ..; This program is free software; you can redistribute it and/or modify ..; it under the terms of the GNU General Public License version 2 ..; as published by the Free Software Foundation. ..; *************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*******************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {D5081896-4C2D-4C53-BFE1-6025F1920CD2}, Number of Words: 2, Subject: 1etsvpn, Author: 1etsvpn, Name of Creating Application: 1etsvpn, Template: ;2052, Comments: Installer 1etsvpn , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jul 18 07:56:44 2024, Last Saved Time/Date: Thu Jul 18 07:56:44 2024, Last Printed: Thu Jul 18 07:56:44 2024, Number of Pages: 450
Entropy (8bit):	7.992676731270942
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	lets-test.msi
File size:	52'425'728 bytes
MD5:	b0428243a495bc1691d4c4f33b54e0eb
SHA1:	e7b0c8d355fc3cc1158b96b3a0e3420fac2b3f06
SHA256:	5683928d134cc328a0ae1460fb0c58ddf97d5bc854758c97a5c4d3c1869b842d
SHA512:	2e61c7d1e97b8e878b6ed492230ba89dd803410086959cf9cab71bb407eeb9f3b66bbdb9b48f2344be6a7f1f6bddffaeb60a190c335df9e53faab7bd7b086b29
SSDEEP:	786432:4xAq3kvG6v0/mooApRkpeGUIhkdoOcATOGqltpIXfiOlMVVqSqGVEA+c:hqUvL8/mQrk0RolAKZi1lyVqwEA+c
TLSH:	CEB73332388AC435E25F2A752A3B6B2E463D7D31076440DBE3D4BE3659B6AC35130B97
File Content Preview:	........................>................... ...................................=...>...?...@...A...B...C...D...E...............H...I...J...K...L...M..........................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 18, 2024 22:57:12.122569084 CEST	58368	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:12.729069948 CEST	53	58368	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:12.732191086 CEST	55367	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:12.993700981 CEST	53	55367	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:13.972997904 CEST	59728	8000	192.168.2.4	103.7.30.61
Jul 18, 2024 22:57:14.367027044 CEST	52673	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:14.367248058 CEST	59528	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:14.374957085 CEST	53	52673	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:14.375193119 CEST	53	59528	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:14.831830025 CEST	54816	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:14.994512081 CEST	53	54816	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:16.843118906 CEST	62332	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:16.843341112 CEST	57429	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:16.843817949 CEST	57771	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:16.843955040 CEST	51114	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:16.850263119 CEST	53	62332	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:16.850298882 CEST	53	57429	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:16.850681067 CEST	53	51114	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:16.851717949 CEST	53	57771	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:16.900005102 CEST	55443	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:16.900316000 CEST	51826	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:16.907383919 CEST	53	51826	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:16.908361912 CEST	53	55443	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:18.961889029 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.264466047 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.462930918 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.463046074 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.463180065 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.463887930 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.464133978 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.464447021 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.467289925 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.467813969 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.467989922 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.468511105 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.468677998 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.566179037 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.566267014 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.566298008 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.566325903 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.566817999 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.566916943 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.567007065 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.567706108 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.568422079 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.568773031 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:19.663289070 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:19.701798916 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:32.634438038 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:32.634680033 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:32.733066082 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:32.738368988 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:32.757021904 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:32.757505894 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:33.759655952 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:33.760202885 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:33.761070967 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:33.857827902 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:33.859461069 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:33.859581947 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:33.859764099 CEST	443	49885	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:33.860099077 CEST	49885	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.077667952 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.218126059 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.218164921 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.219230890 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.219265938 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.219302893 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.219456911 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.219527006 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.222048044 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.222196102 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.222507000 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.222701073 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.324970961 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.325016975 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.325462103 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.325474977 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.325598955 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.325695038 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.326172113 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.326514959 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.326719999 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:34.422760963 CEST	443	59609	162.159.61.3	192.168.2.4
Jul 18, 2024 22:57:34.453962088 CEST	59609	443	192.168.2.4	162.159.61.3
Jul 18, 2024 22:57:36.531887054 CEST	59474	8000	192.168.2.4	103.7.30.83
Jul 18, 2024 22:57:43.030553102 CEST	63420	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:45.801223993 CEST	59754	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:45.842638969 CEST	53	59754	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:47.307521105 CEST	58451	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:47.307949066 CEST	57894	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:47.313497066 CEST	60021	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:47.314783096 CEST	53	58451	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:47.315726042 CEST	53	57894	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:47.321775913 CEST	53	60021	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:47.839534044 CEST	60023	53	192.168.2.4	8.8.8.8
Jul 18, 2024 22:57:47.839867115 CEST	54761	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:47.842751026 CEST	60024	53	192.168.2.4	8.8.8.8
Jul 18, 2024 22:57:47.848001003 CEST	53	54761	1.1.1.1	192.168.2.4
Jul 18, 2024 22:57:47.859025955 CEST	54762	53	192.168.2.4	8.8.8.8
Jul 18, 2024 22:57:48.035912037 CEST	54763	443	192.168.2.4	23.98.101.155
Jul 18, 2024 22:57:48.078005075 CEST	53	60024	8.8.8.8	192.168.2.4
Jul 18, 2024 22:57:48.096014977 CEST	53	54762	8.8.8.8	192.168.2.4
Jul 18, 2024 22:57:48.145606995 CEST	53	60023	8.8.8.8	192.168.2.4
Jul 18, 2024 22:57:48.270456076 CEST	61527	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:57:49.470283031 CEST	61528	443	192.168.2.4	183.60.146.66
Jul 18, 2024 22:57:50.891899109 CEST	57335	443	192.168.2.4	35.227.223.56
Jul 18, 2024 22:57:52.157469034 CEST	57336	443	192.168.2.4	23.98.101.155
Jul 18, 2024 22:57:53.633419991 CEST	57337	443	192.168.2.4	23.98.101.155
Jul 18, 2024 22:57:54.944839954 CEST	57338	443	192.168.2.4	23.98.101.155
Jul 18, 2024 22:57:56.216576099 CEST	57339	443	192.168.2.4	23.98.101.155
Jul 18, 2024 22:57:57.498002052 CEST	57340	443	192.168.2.4	183.60.146.66
Jul 18, 2024 22:57:58.826363087 CEST	57341	443	192.168.2.4	183.60.146.66
Jul 18, 2024 22:58:00.110742092 CEST	57342	443	192.168.2.4	183.60.146.66
Jul 18, 2024 22:58:01.522526979 CEST	57343	443	192.168.2.4	183.60.146.66
Jul 18, 2024 22:58:02.943325043 CEST	57344	443	192.168.2.4	35.227.223.56
Jul 18, 2024 22:58:03.148869038 CEST	55984	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:58:04.185846090 CEST	55985	443	192.168.2.4	35.227.223.56
Jul 18, 2024 22:58:06.273314953 CEST	55986	443	192.168.2.4	35.227.223.56
Jul 18, 2024 22:58:07.318085909 CEST	55987	443	192.168.2.4	35.227.223.56
Jul 18, 2024 22:58:08.318795919 CEST	55988	53	192.168.2.4	8.8.8.8
Jul 18, 2024 22:58:08.319052935 CEST	57093	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:58:08.331227064 CEST	53	57093	1.1.1.1	192.168.2.4
Jul 18, 2024 22:58:08.554013968 CEST	53	55988	8.8.8.8	192.168.2.4
Jul 18, 2024 22:58:25.808140993 CEST	57501	53	192.168.2.4	1.1.1.1
Jul 18, 2024 22:58:25.821979046 CEST	53	57501	1.1.1.1	192.168.2.4
Jul 18, 2024 22:59:15.909946918 CEST	53491	53	192.168.2.4	1.1.1.1
Jul 18, 2024 23:00:07.794265032 CEST	65191	53	192.168.2.4	1.1.1.1

Timestamp	Bytes transferred	Direction	Data
Jul 18, 2024 22:57:15.250777960 CEST	166	OUT	POST / HTTP/1.1 Host: tqos.wegamex.com.hk Accept: / Content-Length: 689 Content-Type: multipart/form-data; boundary=------------------------15ced2856b975cac
Jul 18, 2024 22:57:15.250866890 CEST	689	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 31 35 63 65 64 32 38 35 36 62 39 37 35 63 61 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 Data Ascii: --------------------------15ced2856b975cacContent-Disposition: form-data; name="tqos"tqos={"Body":{"QOSRep":{"BusinessID":1,"Flag":1,"QosList":[{"AppendDesc":{"Comm":{"IntList":[0,0,-856844160,1484,2905,-1,0,0,0,0,0,0],"IntNum":12,"StrLi

Timestamp	Bytes transferred	Direction	Data
Jul 18, 2024 22:57:45.871335030 CEST	265	OUT	GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1 Host: ws-ap1.pusher.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Version: 13 Sec-WebSocket-Key: NmRhMTFjMTgtMjY0OC00OQ== Origin: ws://ws-ap1.pusher.com
Jul 18, 2024 22:57:46.768934011 CEST	166	IN	HTTP/1.1 101 Switching Protocols Date: Thu, 18 Jul 2024 20:57:46 GMT Connection: upgrade Upgrade: websocket Sec-WebSocket-Accept: xRIXWW4XTl1JhIKyqxOe5sPS9wE=
Jul 18, 2024 22:57:46.977545023 CEST	166	IN	HTTP/1.1 101 Switching Protocols Date: Thu, 18 Jul 2024 20:57:46 GMT Connection: upgrade Upgrade: websocket Sec-WebSocket-Accept: xRIXWW4XTl1JhIKyqxOe5sPS9wE=
Jul 18, 2024 22:57:47.469232082 CEST	242	IN	Data Raw: 81 7e 00 92 7b 22 65 76 65 6e 74 22 3a 22 70 75 73 68 65 72 3a 65 72 72 6f 72 22 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 34 30 30 31 2c 22 6d 65 73 73 61 67 65 22 3a 22 41 70 70 20 6b 65 79 20 34 66 63 34 33 36 65 66 33 36 66 34 30 32 36 Data Ascii: ~{"event":"pusher:error","data":{"code":4001,"message":"App key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?"}}ZApp key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?
Jul 18, 2024 22:57:47.784744978 CEST	8	OUT	Data Raw: 88 82 19 b6 01 6e 1a 5e Data Ascii: n^

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:15 UTC	594	OUT	GET /crx/blobs/Af2yII2B0rZ8cHZ0zhAQMpE5nnHa-luPaKnkV2HzRYHJSUKQp47BzdeiX0Igp7uG9ixLd9f-dn93AlqvBwPDqfl_F5H1vnj2K-nXA2wr_RToPGmP3S9lmWq3G-LCKHiOc8oAxlKa5TcGVwrsFgTq79yNDjEULjiD5Cwy/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_79_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-07-18 20:57:15 UTC	571	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 105751 X-GUploader-UploadID: ACJd0Nqnc5nOjVvdizvsjHOd24E6OcXUPfZIKfHPtJKyXQt7emlhz-8N8Crz0lh7pA1aMKf5nus7a79kAw X-Goog-Hash: crc32c=+iMxGQ== Server: UploadServer Date: Thu, 18 Jul 2024 20:53:17 GMT Expires: Fri, 18 Jul 2025 20:53:17 GMT Cache-Control: public, max-age=31536000 Age: 238 Last-Modified: Tue, 16 Jul 2024 20:53:03 GMT ETag: d0ca9368_cfe1c52e_26a2b87e_8ea78d1b_1848b259 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-18 20:57:15 UTC	819	IN	Data Raw: 43 72 32 34 03 00 00 00 38 16 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr2480"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: bf fe f1 4b d6 d7 ea eb 3c 8c e7 4b ff eb ef bf c6 af ba 6e 8a 6b f3 1f 43 fd f5 1f ef 67 55 ff fa cf 5f d7 f3 47 5f cb df ab 4b 3f d6 fd f8 eb ef ff f8 35 14 0f 75 29 a4 79 7f fd 88 da d2 76 2d c1 5d 2b b3 9b a6 b2 1b 55 3d 0e 4f dc b9 9e 73 3d 7d e7 f6 f8 5e d9 ea 49 a4 87 27 b4 7f 71 d1 f9 7e 16 81 ea 45 86 ac 43 7b 39 9b f7 37 71 4b ed c3 cf bf 6b 75 15 59 7c 3e a9 f1 b7 43 ef 35 32 f8 38 9f ce 87 29 6e 3f 6e 55 e0 f6 3f ef a9 f4 f6 5b c2 ed 25 cf d0 e5 e7 f3 c2 46 5c 3c ac 89 f3 8f 47 da 8d 18 31 38 52 3d b6 22 40 ba d0 14 c8 99 1d 2a 10 21 04 c4 8e e8 e8 51 84 d1 a6 0e 84 2b 1e d1 f6 18 5e cf 55 00 ad 62 77 78 3a a8 ed b5 b4 51 53 06 6c 3e da 50 1f 6d a0 2a 07 35 c2 36 af f5 30 97 f6 e6 7c dc 45 8f d2 de fe 7b 9d 3f f7 16 4d 85 af 7a e6 34 fb 14 32 Data Ascii: K<KnkCgU_G_K?5u)yv-]+U=Os=}^I'q~EC{97qKkuY\|>C528)n?nU?[%F\<G18R="@!Q+^Ubwx:QSl>Pm560\|E{?Mz42
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 26 3f 65 c9 86 b5 91 c8 75 f7 40 b0 72 4d cd a2 45 f6 c6 fb af bc 3e ce 67 36 89 cc cc 7b 85 6d 64 59 0e 65 b0 90 3e 0a ca 3d 4c 8a 10 e1 58 f9 8e d4 cd 0e fb d0 68 40 84 ab 07 08 b1 25 bf 17 af df 1f d6 7a ee 0d 99 a3 31 ee 95 12 d6 e4 1d 29 ba c7 74 d4 54 c9 5d b9 97 7e ba 97 51 45 45 82 01 f6 aa de 68 34 35 7a c4 e8 14 87 cb 7b 5f fd 7f 68 70 d5 e2 21 b7 1a 25 43 f1 55 d8 2a 4b fd 78 24 a1 e7 27 ad e8 85 1d e5 58 9b 52 70 bc b3 f0 45 4e b5 78 ab 14 f4 b0 2d 37 cb bd 27 d7 f2 1f 8d cf dd e0 40 f8 68 6e 3a e9 47 36 01 50 a3 50 88 c2 1a 8e 64 36 1a 10 60 1e 87 2f 76 62 df ef 2c c4 49 4e f1 be d6 1f f7 45 fe ce da de 1b 7c a4 60 97 39 c3 ab 54 fe 7c 82 4d 47 00 a2 d8 69 22 93 31 52 d1 81 d9 64 1d 6a e6 41 90 58 e0 15 11 15 54 0e b4 cb 65 ef 77 29 56 b2 c7 Data Ascii: &?eu@rME>g6{mdYe>=LXh@%z1)tT]~QEEh45z{_hp!%CU*Kx$'XRpENx-7'@hn:G6PPd6`/vb,INE\|`9T\|MGi"1RdjAXTew)V
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: ec 05 25 f2 48 b8 c9 51 9a b9 d8 89 76 b5 9e de 4e a9 f5 a8 42 f9 55 58 38 33 9e 6b 9f c2 01 16 b3 e8 84 36 b9 63 89 bd e3 35 6b 7d ce 89 6e 5c ca 23 2d f8 01 10 c0 3e 51 37 f8 82 bb 0d 6f 21 22 74 4c 70 e0 de 88 6e 14 f7 a1 9d 32 e4 d6 1a 7e 62 53 9b 4b ec ab 60 25 7b 35 d0 a2 85 a2 6a bd 73 c5 b7 47 42 b1 9d 38 78 23 b4 78 cd 89 f7 4d 8c eb c7 dd b6 41 7c fb 60 56 0e 48 f7 0c 52 a7 02 c5 fe 65 89 fd dd f0 dd d1 95 ba 53 85 fe 24 e0 87 23 ba c1 30 8f 7a b6 c7 63 aa d1 89 f8 46 87 68 77 ff 39 6f 24 c1 70 cd 1d f1 d3 7f 5d de 47 8f 38 38 3c fe 1f fc ad 0c 78 74 6d fd 33 b0 3d c8 cc b3 b8 3f be 26 d6 36 2c 15 e2 c9 cc ba 14 26 33 85 9d cb f9 f8 14 ef bd 3c 25 12 54 14 5d b0 1a 5a 31 c3 45 dd af f4 ca 99 ab b0 c9 af d1 2d 69 3f dc d8 77 fd c2 ac af 08 9a b4 Data Ascii: %HQvNBUX83k6c5k}n\#->Q7o!"tLpn2~bSK`%{5jsGB8x#xMA\|`VHReS$#0zcFhw9o$p]G88<xtm3=?&6,&3<%T]Z1E-i?w
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 6b b4 57 57 36 7a 08 ce 6e c2 f4 9a e4 40 95 3d 36 eb 57 3f bc 87 f2 fc 3f b0 56 e2 2b d6 13 2d 80 3f 97 00 e5 44 fb f7 72 ef bd 9f 60 74 4d f9 c6 2e ac 2d ae 02 29 30 cd 37 95 23 8e 15 17 f7 0a 78 76 4a fe 74 8e 75 ff e9 e5 cc 66 63 ae 59 97 39 3f 1c d4 fd 0f ee 7f 75 5d 1d 8f c4 52 9f 24 13 11 f2 d9 6b 0e 3c 72 a4 ee a1 cc 3c 17 1b 45 a1 1d f2 70 48 e7 b2 47 2a 25 f9 84 f7 2f 4e ca a2 36 b3 ff f4 7b c9 6c 6a da 2e 38 52 99 23 4d 96 18 95 f1 85 67 53 df ef 55 18 7d 8b ff e9 fa 6a 48 4f 19 da 11 8b dd 8b 7e e8 8e a4 b9 8b 4c b6 d2 49 ee c6 3f 6b 6c 4d 45 49 e5 bd 64 28 a4 19 75 65 1b bd 53 dd 98 d9 d2 9d df 99 75 3d 68 61 ae 05 1a f9 47 bd e2 1f ee ff aa 27 53 5f 7f 5c 03 6e cf 3f 9a 57 80 ed 5c 64 83 32 7b 64 c5 fb ce fe d7 67 95 e9 05 f0 93 e3 ff 38 4b Data Ascii: kWW6zn@=6W??V+-?Dr`tM.-)07#xvJtufcY9?u]R$k<r<EpHG*%/N6{lj.8R#MgSU}jHO~LI?klMEId(ueSu=haG'S_\n?W\d2{dg8K
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 35 76 33 3f e7 db b8 95 87 59 90 f0 15 f0 9d 24 9d c5 d3 c1 84 76 c5 6d a6 99 c3 34 71 5b 68 84 8f f5 2e 68 cd c7 47 40 74 46 79 f8 c3 75 72 18 21 5f 2c e7 64 16 8f 87 93 ef 33 9a 0d 8c ce 45 f4 69 4d 19 20 ef d0 f5 7e eb ec ff f9 e4 c9 93 36 8d dc 4f 35 55 00 90 06 1a a2 ad c1 3c 9d 32 9c b9 05 5a 7b 30 2c e4 85 57 2b 79 06 a2 3b b4 a5 1b 07 a3 f9 1f fc e9 d3 c0 7e dc 2d d9 70 92 26 aa 58 e7 91 fe 28 9f e1 f5 fd 6d fd 5a 3e 3f 2b c7 cc fe f1 e8 01 fd 70 24 26 37 1c cf 8f 61 96 f1 e3 48 6e b6 58 e2 6f 12 fe 3c 8e 8e e3 7e 3f 10 bb 35 09 4d ba b5 b9 29 5f 6b a0 03 f2 6e 58 45 60 6d 8d cf b7 c3 de 55 02 9c 01 e6 8b 6d 0a 88 ed 2d 15 29 33 76 6d 26 48 d9 d5 28 bd 98 77 81 ca b1 e3 0a d8 fb 61 3d 67 58 6a d2 a8 29 63 61 72 1f 06 f8 71 1e 32 8d c2 03 c6 69 04 Data Ascii: 5v3?Y$vm4q[h.hG@tFyur!_,d3EiM ~6O5U<2Z{0,W+y;~-p&X(mZ>?+p$&7aHnXo<~?5M)_knXE`mUm-)3vm&H(wa=gXj)carq2i
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 9c f7 3d c9 9a 89 4c 73 2e 94 11 78 62 ab cb d7 06 02 a8 dd ae 78 37 cc 9c d5 b2 6e ab 8d 4f 95 8d c6 79 8a 2d 00 48 5a 5d aa c6 ca 8a 1c 00 d4 5e be 22 3e 63 75 81 04 a7 d2 8b 62 14 a5 bb e7 7f d6 da 14 c7 8c 3d 0b 31 34 ff 48 80 60 c0 78 86 ee 1e 3e cb be 7f c2 eb 09 fe bb 5c 76 3f 13 2b 19 fa 13 ff 22 ac 08 13 d4 cf 30 dc 0b 26 e1 e7 a5 80 30 00 08 16 d2 1f 7a be 60 45 72 79 2f ec 19 50 47 16 e1 32 d4 3f 9a 9f cb 89 ec 0a 1d 1b b0 f5 33 f7 ae 04 c7 18 b6 24 b3 e8 00 6b 1b c2 6e e7 1c 80 33 87 ed 6e 61 be 93 3c c1 22 82 9f 40 3b 9a 00 f0 81 b4 11 5d eb 02 05 bc 83 cd 06 9c b9 0e 0d c1 e7 84 cb 46 3d 44 b9 52 90 f3 13 2e f2 94 9e 12 05 db 38 0f b1 dc 61 42 cf b8 ba 75 40 a8 4a 6d 3e e0 7b c9 e5 36 ac c7 e2 f4 b6 b5 e4 2e 81 e1 42 49 7f 12 0e 85 da 17 6c Data Ascii: =Ls.xbx7nOy-HZ]^">cub=14H`x>\v?+"0&0z`Ery/PG2?3$kn3na<"@;]F=DR.8aBu@Jm>{6.BIl
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 18 ec 20 d8 28 82 94 2c 7d de 3b 97 a5 45 bb 9e 5f 6d 81 d3 42 f1 79 e5 ab f5 81 56 1d f6 b4 cd 77 d2 6b 08 3e ed 25 0d 17 45 8a a9 4d b4 db e0 00 7b 2e ff 4b ae d2 18 76 6a 8b 76 b3 0f 92 bd f8 c0 e9 c9 62 21 18 83 04 67 81 e0 f4 ef 88 e6 2a 33 92 6f 89 cc 9a 3f 4c 3e 60 57 54 c5 88 2f 20 0d d6 d3 de da f2 37 da 1e b1 21 73 c2 71 99 b2 a9 69 d0 a8 a1 31 2b 30 ad 10 1d bb 45 8b eb 16 0a 5b 37 14 14 f9 18 ed 4a 16 bf 57 95 5c 03 f6 62 f9 11 e6 84 1f 76 7d b1 6b 6b fc b6 31 6f 60 b5 71 80 3e a0 9b 2f 9a eb a3 9e 65 b6 08 df fe 51 73 0d 6a ae da 0a b5 7d 4d 3b 77 6a 1b e2 13 ac 34 05 c4 7c 9f 99 c6 89 aa 22 8d 0b 62 50 2f a0 f9 86 0e 2d 68 fe 24 14 b4 06 e6 4d 4a 52 e9 4f 68 7f 22 e1 27 fb b9 d5 e9 aa 63 bc 06 e8 81 34 77 89 f1 a7 5c 3f e4 ce 2f 90 ea 9f a1 Data Ascii: (,};E_mByVwk>%EM{.Kvjvb!g*3o?L>`WT/ 7!sqi1+0E[7JW\bv}kk1o`q>/eQsj}M;wj4\|"bP/-h$MJROh"'c4w\?/
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 98 44 c5 5c ab 1d cb 20 bb 8d 52 91 29 52 9a e1 b2 de fb ed ce 9d c6 ee 78 72 39 1d e4 c5 bc 81 9a e3 6e 39 9e 9d 4e d3 c6 eb 41 34 65 d3 cb c6 ce e9 bc 18 4f 67 ad 3b 8d a3 77 7b 5f b7 5e 0f e2 74 34 4b b7 0e 12 d8 d6 83 6c 90 4e bb 8d 9d 09 10 f2 74 6b bb d5 be f3 db bd 3b 38 ed 19 0b 67 40 14 af 96 fe 39 41 71 b1 c0 f8 43 7d 3e 61 2e d5 34 fb 18 11 5f a5 f3 80 01 00 f0 88 90 12 d7 38 10 8f 28 a0 d9 0a e6 5a 2c cc 4f ae 83 2d 38 4d ac 6f 4a 9c 52 8f 23 2b 00 f4 58 0c 32 94 3d 03 8f 29 b3 25 1a 26 f8 3a f4 62 20 56 c0 12 e0 df 8d d5 f3 64 f0 b6 87 e7 95 92 7e 97 ff 09 af 96 5d fa 1b 69 4f c6 a9 98 1e 9f cf 19 73 9d dd d7 6f 8f 3e 7d d8 ff fe ec f5 ce f3 23 87 42 fc b1 0b a6 bc 57 4c 28 1c ac 6b b4 73 26 8e 71 d4 9e b5 8a c2 73 71 5a 85 99 31 d6 b8 cf c2 Data Ascii: D\ R)Rxr9n9NA4eOg;w{_^t4KlNtk;8g@9AqC}>a.4_8(Z,O-8MoJR#+X2=)%&:b Vd~]iOso>}#BWL(ks&qsqZ1
2024-07-18 20:57:15 UTC	1390	IN	Data Raw: 06 25 ff 9f 35 d6 93 ef ba fc f8 75 16 85 d0 aa e7 e7 f4 d7 d9 4e 01 05 03 e9 1f 16 32 0a fe f4 4f 98 6b f9 e4 dd ab 17 51 b7 e3 ef 47 dd 6d 7f 37 ea 3e f0 df 46 dd 3f fc 37 f0 ee 91 ff 3a ea de df f6 e7 51 f7 d1 03 ff 23 bc d9 fe c3 7f 0a e5 1e 3e f2 77 a2 ee c3 ce b6 ff 0c 5e b6 b7 1f f8 97 f0 b6 fd e0 0f ff 08 1a 68 ff f9 c8 ff 05 6d 74 fe dc 5e 7a 20 68 90 b2 5d 44 61 12 55 4f 45 1f 67 51 7f 01 3a 69 b7 f2 be f5 55 c9 26 3d f8 01 45 ba 6b 4e 17 43 85 ab af 5d e9 e8 f4 af 4b 55 90 82 96 96 8a 2f e8 90 5d fa 83 ca 98 b4 bc 46 03 6b 2f bb 75 df 60 3c ed a5 7f 72 6d dd 75 35 97 fe 8f 75 70 30 73 12 dc 00 8f ff 23 e0 08 6a 64 d5 32 e2 03 f8 11 81 86 e4 b2 05 30 98 ad ce 83 87 7f 76 4c 9d 64 58 29 74 ff 01 2f f5 f0 77 83 71 8d 22 61 24 78 f2 a4 f3 80 0c 94 Data Ascii: %5uN2OkQGm7>F?7:Q#>w^hmt^z h]DaUOEgQ:iU&=EkNC]KU/]Fk/u`<rmu5up0s#jd20vLdX)t/wq"a$x

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:16 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-07-18 20:57:16 UTC	571	IN	HTTP/1.1 200 OK Date: Thu, 18 Jul 2024 20:57:16 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Content-MD5: 2Sac1JgWnA2goeZEYMrzXg== Last-Modified: Wed, 10 Jul 2024 22:08:29 GMT ETag: 0x8DCA12CD4988DF1 x-ms-request-id: 649b69ab-701e-0068-1a55-d93656000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240718T205716Z-15b94bb6ff9l2slhr3ee6x866g0000000bc000000000txd4 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-07-18 20:57:16 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:17 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-07-18 20:57:17 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-07-18 20:57:17 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 18 Jul 2024 20:57:17 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8a55621bfafe0f6f-EWR alt-svc: h3=":443"; ma=86400
2024-07-18 20:57:17 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 f2 00 04 8e fa 41 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:18 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-07-18 20:57:18 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-07-18 20:57:18 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 18 Jul 2024 20:57:18 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8a5562227cdf42b7-EWR alt-svc: h3=":443"; ma=86400
2024-07-18 20:57:18 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 19 00 04 8e fa b0 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:20 UTC	448	OUT	POST /chromewebstore/v1.1/items/verify HTTP/1.1 Host: www.googleapis.com Connection: keep-alive Content-Length: 119 Content-Type: application/json Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-07-18 20:57:20 UTC	119	OUT	Data Raw: 7b 22 68 61 73 68 22 3a 22 41 75 50 61 72 61 58 73 76 48 4b 63 57 59 75 7a 4c 67 50 2f 4c 72 4b 45 50 5a 33 57 6e 30 4b 67 48 51 31 55 71 52 68 6e 4b 43 30 3d 22 2c 22 69 64 73 22 3a 5b 22 67 68 62 6d 6e 6e 6a 6f 6f 65 6b 70 6d 6f 65 63 6e 6e 6e 69 6c 6e 6e 62 64 6c 6f 6c 68 6b 68 69 22 5d 2c 22 70 72 6f 74 6f 63 6f 6c 5f 76 65 72 73 69 6f 6e 22 3a 31 7d Data Ascii: {"hash":"AuParaXsvHKcWYuzLgP/LrKEPZ3Wn0KgHQ1UqRhnKC0=","ids":["ghbmnnjooekpmoecnnnilnnbdlolhkhi"],"protocol_version":1}
2024-07-18 20:57:20 UTC	341	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Vary: Origin Vary: X-Origin Vary: Referer Date: Thu, 18 Jul 2024 20:57:20 GMT Server: ESF Content-Length: 483 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-18 20:57:20 UTC	483	IN	Data Raw: 7b 0a 20 20 22 70 72 6f 74 6f 63 6f 6c 5f 76 65 72 73 69 6f 6e 22 3a 20 31 2c 0a 20 20 22 73 69 67 6e 61 74 75 72 65 22 3a 20 22 68 34 5a 36 65 31 50 44 69 39 78 32 52 45 7a 5a 76 6e 74 30 58 2f 2f 37 4c 6e 51 6c 73 2f 74 53 71 55 47 55 59 74 71 75 48 52 72 54 50 6a 69 5a 57 59 4e 7a 30 74 65 78 75 44 41 69 4a 76 38 6e 50 57 7a 52 37 39 36 45 49 44 74 6b 75 2b 6c 38 67 74 67 58 6d 73 6d 35 76 75 71 75 75 56 2f 48 6b 35 2f 30 77 45 33 70 75 47 43 77 41 6f 79 55 7a 2b 6f 6a 38 76 43 54 70 35 4b 4f 35 6b 33 61 6b 64 61 77 70 67 77 55 76 33 6e 79 43 74 33 67 68 6d 65 58 4e 59 4c 75 56 45 72 33 4a 79 6b 75 69 46 52 62 64 31 64 48 2b 36 68 71 4d 65 38 64 41 36 41 62 62 68 38 77 75 43 6a 5a 30 44 65 39 70 4e 50 64 46 33 6c 41 65 34 34 59 6f 61 4d 37 64 53 43 4d Data Ascii: { "protocol_version": 1, "signature": "h4Z6e1PDi9x2REzZvnt0X//7LnQls/tSqUGUYtquHRrTPjiZWYNz0texuDAiJv8nPWzR796EIDtku+l8gtgXmsm5vuquuV/Hk5/0wE3puGCwAoyUz+oj8vCTp5KO5k3akdawpgwUv3nyCt3ghmeXNYLuVEr3JykuiFRbd1dH+6hqMe8dA6Abbh8wuCjZ0De9pNPdF3lAe44YoaM7dSCM

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:33 UTC	614	OUT	GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1721941035&P2=404&P3=2&P4=M7A1OzH62S9Lk3UHKN5cCSEzeUZ01KVvQkb3YBsYyAsZEb3jWqQ4rtBDc42rk4GP3zd%2b0DfERo9Q01hcvKyUew%3d%3d HTTP/1.1 Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com Connection: keep-alive MS-CV: 1jOZtoZB8Px9C8siZ9XR9i Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-07-18 20:57:33 UTC	632	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Age: 1262784 Cache-Control: public, max-age=17280000 Content-Type: application/x-chrome-extension Date: Thu, 18 Jul 2024 20:57:33 GMT Etag: "Gv3jDkaZdFLRHkoq2781zOehQE8=" Last-Modified: Wed, 24 Jan 2024 00:25:37 GMT MS-CorrelationId: b4b4aabf-4d02-4629-96b1-a382405b6a31 MS-CV: 642I+iNy0Qp5KFcIV/sUKh.0 MS-RequestId: 5245ac9e-0afd-43ce-8780-5c7d0bedf1d4 Server: ECAcc (nyd/D11E) X-AspNet-Version: 4.0.30319 X-AspNetMvc-Version: 5.3 X-Cache: HIT X-CCC: US X-CID: 11 X-Powered-By: ASP.NET X-Powered-By: ARR/3.0 X-Powered-By: ASP.NET Content-Length: 11185 Connection: close
2024-07-18 20:57:33 UTC	11185	IN	Data Raw: 43 72 32 34 03 00 00 00 1d 05 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 bb 4e a9 d8 c8 e8 cb ac 89 0d 45 23 09 ef 07 9e ab ed 9a 39 65 ef 75 ea 71 bc a5 c4 56 59 59 ef 8c 08 40 04 2b ed 43 d0 dc 6b a7 4f 88 b9 62 4b d3 60 94 de 36 ee 47 92 ab 25 8a 1e cc 0d fa 33 5a 12 19 8e 65 20 5f fd 36 15 d6 13 1e 46 ae 8b 31 70 18 f1 a8 4b 1d 5a ff de 0e 83 8e 11 b2 2f 20 ed 33 88 cb fb 4f 54 94 9e 60 00 d3 bc 30 ab c0 d7 59 8b b0 96 46 54 fc f0 34 33 1c 74 68 d6 79 f9 0c 8c 7d 8a 91 98 ca 70 c6 4c 0f 1b c8 32 53 b9 26 69 cc 60 09 8d 6f ec f9 a6 66 8d 6f 48 81 0e 05 8a f1 97 4e b8 c3 94 3a b3 f7 69 6a 54 89 33 da 9e 46 7b d1 30 bb 2c cc 66 3f 27 66 e3 43 51 74 3b 62 5f 22 50 63 08 e5 20 Data Ascii: Cr240"0*H0NE#9euqVYY@+CkObK`6G%3Ze _6F1pKZ/ 3OT`0YFT43thy}pL2S&i`ofoHN:ijT3F{0,f?'fCQt;b_"Pc

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:57:48 UTC	182	OUT	GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1 Host: d1dmgcawtbm6l9.cloudfront.net User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-07-18 20:57:49 UTC	676	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx/1.16.0 Date: Thu, 18 Jul 2024 20:57:49 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Expires: Thu, 18 Jul 2024 20:57:49 GMT Cache-Control: private, max-age=1 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Accept-Ranges: none Vary: Accept-Encoding X-Cache: Miss from cloudfront Via: 1.1 ff7010ce6a43809a9e2df5e6441e868e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CDG55-P3 X-Amz-Cf-Id: Gn2tqql0E8kN9a0npb6VVMVpDuRyxlTmukVR5ROVpApupFm-9esm4Q==
2024-07-18 20:57:49 UTC	458	IN	Data Raw: 31 63 33 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 31 2c 22 64 61 74 61 22 3a 22 36 37 2e 31 33 37 2e 31 37 34 2e 32 35 34 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 31 2c Data Ascii: 1c3{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nit.crash1ytics.com.","type":1}],"Answer":[{"name":"nit.crash1ytics.com.","type":1,"TTL":1,"data":"67.137.174.254"},{"name":"nit.crash1ytics.com.","type":1,"TTL":1,
2024-07-18 20:57:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-18 20:58:09 UTC	182	OUT	GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1 Host: d1dmgcawtbm6l9.cloudfront.net User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-07-18 20:58:09 UTC	676	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx/1.16.0 Date: Thu, 18 Jul 2024 20:58:09 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Expires: Thu, 18 Jul 2024 20:58:09 GMT Cache-Control: private, max-age=3 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Accept-Ranges: none Vary: Accept-Encoding X-Cache: Miss from cloudfront Via: 1.1 62e7b24ca032b612bb93fa7f3437469c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P7 X-Amz-Cf-Id: zP3tyRuRR1ZfhEfc04c1P3Ww8-Ixjc0cgxiuoPf_KEdyaymF4pNokQ==
2024-07-18 20:58:09 UTC	458	IN	Data Raw: 31 63 33 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 33 2c 22 64 61 74 61 22 3a 22 36 37 2e 31 33 37 2e 31 37 34 2e 32 35 34 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 33 2c Data Ascii: 1c3{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nit.crash1ytics.com.","type":1}],"Answer":[{"name":"nit.crash1ytics.com.","type":1,"TTL":3,"data":"67.137.174.254"},{"name":"nit.crash1ytics.com.","type":1,"TTL":3,
2024-07-18 20:58:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:57:04
Start date:	18/07/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\lets-test.msi"
Imagebase:	0x7ff7ea810000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	16:57:07
Start date:	18/07/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A5D05F387DF25EBE7AE8DA514E37EF3C
Imagebase:	0xf90000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lets-test.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\61335e.rbs

C:\Program Files (x86)\Common Files\Lua51.dll

C:\Program Files (x86)\Common Files\adapt_for_imports.dll

C:\Program Files (x86)\Common Files\beacon_sdk.dll

C:\Program Files (x86)\Common Files\common.dll

C:\Program Files (x86)\Common Files\log\wegame.20240718-184033-778.log

C:\Program Files (x86)\Common Files\log\wegame.mem.log

C:\Program Files (x86)\Common Files\wegame.exe

C:\Program Files (x86)\haxGhXjmBFM.exe

C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe

Windows Analysis Report
lets-test.msi

Target ID:	3
Start time:	16:57:09
Start date:	18/07/2024
Path:	C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\haxGhXjmBFM\LetsPRO.exe"
Imagebase:	0xbc0000
File size:	245'880 bytes
MD5 hash:	EA9E2F517B1CC2DBE7F78302DD7FB593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	16:57:11
Start date:	18/07/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1900,i,16840921317244570798,13407743960639991352,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	18
Start time:	16:57:12
Start date:	18/07/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4204 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	16:57:16
Start date:	18/07/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,15600672359767385931,12955159692457146143,262144 /prefetch:8
Imagebase:	0x7ff7100b0000
File size:	1'255'976 bytes
MD5 hash:	76C58E5BABFE4ACF0308AA646FC0F416
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	16:57:28
Start date:	18/07/2024
Path:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Imagebase:	0x7ff7beed0000
File size:	101'536 bytes
MD5 hash:	1E3CF83B17891AEE98C3E30012F0B034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	16:57:29
Start date:	18/07/2024
Path:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
Imagebase:	0x7ff7beed0000
File size:	101'536 bytes
MD5 hash:	1E3CF83B17891AEE98C3E30012F0B034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	16:57:30
Start date:	18/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	16:57:31
Start date:	18/07/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000158"
Imagebase:	0x7ff69fe90000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	16:57:32
Start date:	18/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	16:57:33
Start date:	18/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c netsh advfirewall firewall Delete rule name=lets
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true