File name:	_8334abf7a7af06479e6afa45ace0142d51e48c2b1f7bfb6f4d86f5eb3e8fa1e9.exe
Full analysis:	https://app.any.run/tasks/5ee1a223-dc97-4e5d-a315-25014808c19d
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group. Malware Trends Tracker >>>
Analysis date:	February 07, 2026, 10:40:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi websocket payload valleyrat silverfox rat winos evasion
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	A3C3B290B1989B78D33F90B3611335B1
SHA1:	3A2D6ED65D3D0AEE0E0E496D248C60C8C4C583F3
SHA256:	8334ABF7A7AF06479E6AFA45ACE0142D51E48C2B1F7BFB6F4D86F5EB3E8FA1E9
SSDEEP:	393216:QDl4W6PElWwn08uPl8T3ZahmiqDPTNkCQ1qqAX67h:rWV4wn0b8Ziq7uCQ13AX2

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:01:31 17:44:13+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	4096
InitializedDataSize:	90112
UninitializedDataSize:	-
EntryPoint:	0x1d20
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.16.7.0
ProductVersionNumber:	3.16.7.0
FileFlagsMask:	0x003f
FileFlags:	Pre-release
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unknown (01B5)
Comments:	-
CompanyName:	-
FileDescription:	Lets Setup
FileVersion:	3.16.7.0
InternalName:	LetsVPN
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	LetsVPN.exe
PrivateBuild:	-
ProductName:	Lets
ProductVersion:	3.16.7.0
SpecialBuild:	-


(PID) Process:	(8252) letsvpn-3.16.9.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\lets
Operation:	write	Name:	InstallTimeStamp
Value: 20260207054213.412
(PID) Process:	(8252) letsvpn-3.16.9.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\lets
Operation:	write	Name:	InstallNewVersion
Value: 3.16.9
(PID) Process:	(4996) tapinstall.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901
Operation:	write	Name:	Owners
Value: oem9.inf
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/tap0901.sys
Operation:	write	Name:	Owners
Value: oem9.inf
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:	write	Name:	Configuration
Value: tap0901.ndi
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:	write	Name:	Manufacturer
Value: %provider%
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Descriptors\tap0901
Operation:	write	Name:	Description
Value: %devicedescription%
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:	write	Name:	Service
Value: tap0901
(PID) Process:	(2860) drvinst.exe	Key:	HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\oemvista.inf_amd64_662fd96dfdced4ae\Configurations\tap0901.ndi
Operation:	write	Name:	ConfigScope
Value: 5

PID	Process	Filename		Type
9048	_8334abf7a7af06479e6afa45ace0142d51e48c2b1f7bfb6f4d86f5eb3e8fa1e9.exe	C:\Users\admin\AppData\Local\Temp\genteert.dll		executable
		MD5:6CE814FD1AD7AE07A9E462C26B3A0F69	SHA256:54C0DA1735BB1CB02B60C321DE938488345F8D1D26BF389C8CB2ACAD5D01B831
9048	_8334abf7a7af06479e6afa45ace0142d51e48c2b1f7bfb6f4d86f5eb3e8fa1e9.exe	C:\Users\admin\AppData\Roaming\LetsVPN\adddf.vbe		binary
		MD5:B42B13CE8B65822BC306FA7A43DDDA56	SHA256:8899328528E624933756A42F050F6D07A8C21BE2BA1F35DB9D63ED4AB09C2C59
9048	_8334abf7a7af06479e6afa45ace0142d51e48c2b1f7bfb6f4d86f5eb3e8fa1e9.exe	C:\Users\admin\AppData\Local\Temp\gentee4E\guig.dll		executable
		MD5:DDD4A31094764A9DEB6A82C8658FD9C5	SHA256:624F4C25504BA431F450D8ECEE2E2D0A4D87B95F7FA0B72DB43F057CA021C328
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\driver\tap0901.sys		executable
		MD5:C10CCDEC5D7AF458E726A51BB3CDC732	SHA256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\driver\OemVista.inf		binary
		MD5:26009F092BA352C1A64322268B47E0E3	SHA256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe		executable
		MD5:1E3CF83B17891AEE98C3E30012F0B034	SHA256:9F45A39015774EEAA2A6218793EDC8E6273EB9F764F3AEDEE5CF9E9CCACDB53F
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\Update.exe		executable
		MD5:B8FF4A1DBAFE8C6489A9C0C3D9E51B40	SHA256:5F640DAEBE2CD329D4A3206C9D56BDEAB38082E1CDA6264FF87130B353495B7A
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\driver\tap0901.cat		binary
		MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F	SHA256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\app-3.16.9\DeltaCompressionDotNet.MsDelta.dll		executable
		MD5:C848A2F5FA5FEAA71409795E8E8C69D0	SHA256:1CE872ED466A8A3466C808A7BABF3B597EC12E1CB84870E7A0CF00B2F5EF6DF4
8252	letsvpn-3.16.9.exe	C:\Program Files (x86)\letsvpn\app-3.16.9\CommunityToolkit.Mvvm.dll		executable
		MD5:84B2D19FB23993251130999CD42563B8	SHA256:11B1ADD1DB058D3760F52512E0CA911AF726D7C049F25178446B6BD33D4EECD2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5356	SIHClient.exe	GET	304	135.232.92.137:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
8068	svchost.exe	GET	200	184.24.77.37:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	POST	200	40.126.31.71:443	https://login.live.com/RST2.srf	US	xml	10.3 Kb	unknown
6768	MoUsoCoreWorker.exe	GET	200	184.24.77.37:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5356	SIHClient.exe	GET	304	135.232.92.137:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
—	—	GET	200	184.24.77.37:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	POST	200	40.126.31.71:443	https://login.live.com/RST2.srf	US	xml	10.3 Kb	unknown
—	—	GET	304	135.232.92.137:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	—
356	svchost.exe	POST	200	20.190.160.64:443	https://login.live.com/RST2.srf	US	xml	10.3 Kb	whitelisted
—	—	GET	200	135.232.92.137:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	compressed	29.1 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	184.24.77.37:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	184.24.77.37:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
8068	svchost.exe	184.24.77.37:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	20.190.160.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3412	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	184.24.77.37 184.24.77.35 2.19.126.133 2.19.126.146	whitelisted
login.live.com	20.190.160.64 20.190.160.3 40.126.32.138 20.190.160.4 40.126.32.134 20.190.160.131 20.190.160.20 40.126.32.72	whitelisted
slscr.update.microsoft.com	135.232.92.137	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241 2603:1030:10:12::2fe	whitelisted
241.42.69.40.in-addr.arpa	—	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64 128.24.231.64	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Potentially Bad Traffic	PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
3952	WindowsEvent.exe	Device Retrieving External IP Address Detected	ET INFO External IP Check myexternalip.com
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
3952	WindowsEvent.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request

General Info

_8334abf7a7af06479e6afa45ace0142d51e48c2b1f7bfb6f4d86f5eb3e8fa1e9.exe

A3C3B290B1989B78D33F90B3611335B1

3A2D6ED65D3D0AEE0E0E496D248C60C8C4C583F3

8334ABF7A7AF06479E6AFA45ACE0142D51E48C2B1F7BFB6F4D86F5EB3E8FA1E9

393216:QDl4W6PElWwn08uPl8T3ZahmiqDPTNkCQ1qqAX67h:rWV4wn0b8Ziq7uCQ13AX2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes powershell execution policy (Bypass)

VALLEYRAT has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

The process executes Powershell scripts

Bypass execution policy to execute commands

Uses NETSH.EXE to delete a firewall rule or allowed programs

Starts CMD.EXE for commands execution

Reads the Windows owner or organization settings

Executes as Windows Service

The process executes via Task Scheduler

Checks for external IP

INFO

The sample compiled with english language support

Drops encrypted VBS script (Microsoft Script Encoder)

Checks supported languages

Reads the computer name

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Create files in a temporary directory

There is functionality for taking screenshot (YARA)

Compiled with Borland Delphi (YARA)

Creates files in the program directory

Drops script file

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads the machine GUID from the registry

Creates a software uninstall entry

Checks proxy server information

Reads product name

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity