Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2025 00:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe
Resource
win7-20240903-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
38 signatures
150 seconds
General
-
Target
f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe
-
Size
15.7MB
-
MD5
260acc17a495041dc2c98c82a2b896b5
-
SHA1
4d119bff35beaa47ca506b2795824893fd0053c8
-
SHA256
f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b
-
SHA512
9ec8243c9e85bdefdc15ea3386286aa49facd7068c0d52167a6bb23614057e173885dc49f473171bbc4fe4621d3310d5bc302a23200b753a1a63bf45d296f88f
-
SSDEEP
393216:C9lCKlon+UNPc5bSXy3v0zs8yj6BHuKrrT4wV9SrmP1i6FJ:C2+UNk5bhfG5HuKrrT4wVVP1i67
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4908-24-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4908-24-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Phxph.exe File opened for modification C:\Windows\System32\drivers\SET34C7.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET34C7.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 4448 netsh.exe 3376 netsh.exe 5088 netsh.exe 4240 netsh.exe 2752 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phxph.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 10 IoCs
pid Process 1096 letsvpn-latest.exe 4908 csrss.exe 2224 Phxph.exe 3264 tapinstall.exe 4904 tapinstall.exe 4800 tapinstall.exe 3472 LetsPRO.exe 4284 LetsPRO.exe 2060 LetsPRO.exe 4952 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 4284 LetsPRO.exe 1096 letsvpn-latest.exe 1096 letsvpn-latest.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe\" /silent" LetsPRO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Phxph.exe File opened (read-only) \??\Q: Phxph.exe File opened (read-only) \??\R: Phxph.exe File opened (read-only) \??\V: Phxph.exe File opened (read-only) \??\W: Phxph.exe File opened (read-only) \??\Z: Phxph.exe File opened (read-only) \??\E: Phxph.exe File opened (read-only) \??\I: Phxph.exe File opened (read-only) \??\L: Phxph.exe File opened (read-only) \??\N: Phxph.exe File opened (read-only) \??\U: Phxph.exe File opened (read-only) \??\Y: Phxph.exe File opened (read-only) \??\G: Phxph.exe File opened (read-only) \??\K: Phxph.exe File opened (read-only) \??\S: Phxph.exe File opened (read-only) \??\J: Phxph.exe File opened (read-only) \??\O: Phxph.exe File opened (read-only) \??\M: Phxph.exe File opened (read-only) \??\T: Phxph.exe File opened (read-only) \??\X: Phxph.exe File opened (read-only) \??\B: Phxph.exe File opened (read-only) \??\H: Phxph.exe -
pid Process 860 cmd.exe 4288 ARP.EXE -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\SET3312.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\SET3302.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\SET3313.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\SET3312.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\SET3302.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a425e99-1220-854a-acaf-50b08298eea9}\SET3313.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\letsvpn\app-3.12.0\Squirrel.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\NuGet.Squirrel.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Expressions.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\ja\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Ping.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Primitives.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XDocument.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.WinForms.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Sockets.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceProcess.ServiceController.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exe letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tracing.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.config letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\driver\tap0901.sys letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Writer.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\PusherClient.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.NetTcp.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\cs letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Permissions.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Rocks.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Primitives.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Claims.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Csp.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\WebSocket4Net.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hant\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Debug.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TraceSource.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Overlapped.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x86 letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.AccessControl.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\fr\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\csrss.exe f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe.config letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Extensions.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Numerics.Vectors.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.CodePages.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.ReaderWriter.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\zh-TW letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exe letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Contracts.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.IPNetwork.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.SecureString.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.Unsafe.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\ToastNotifications.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Odbc.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.SqlClient.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tools.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Reader.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Toolkit.Uwp.Notifications.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TextWriterTraceListener.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.ZipFile.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Expressions.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Memory.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Http.dll letsvpn-latest.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe -
pid Process 3732 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language letsvpn-latest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3820 cmd.exe 4532 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phxph.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phxph.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LetsPRO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz LetsPRO.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 860 ipconfig.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe\",1" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe\" \"%1\"" LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2 LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol" LetsPRO.exe -
Modifies system certificate store 2 TTPs 11 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 LetsPRO.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4532 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe 2224 Phxph.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 2224 Phxph.exe 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4908 csrss.exe Token: SeLoadDriverPrivilege 2224 Phxph.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeAuditPrivilege 2164 svchost.exe Token: SeSecurityPrivilege 2164 svchost.exe Token: SeLoadDriverPrivilege 4904 tapinstall.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeBackupPrivilege 2504 DrvInst.exe Token: SeLoadDriverPrivilege 2504 DrvInst.exe Token: SeLoadDriverPrivilege 2504 DrvInst.exe Token: SeLoadDriverPrivilege 2504 DrvInst.exe Token: SeDebugPrivilege 4952 LetsPRO.exe Token: SeIncreaseQuotaPrivilege 4952 LetsPRO.exe Token: SeSecurityPrivilege 4952 LetsPRO.exe Token: SeTakeOwnershipPrivilege 4952 LetsPRO.exe Token: SeLoadDriverPrivilege 4952 LetsPRO.exe Token: SeSystemProfilePrivilege 4952 LetsPRO.exe Token: SeSystemtimePrivilege 4952 LetsPRO.exe Token: SeProfSingleProcessPrivilege 4952 LetsPRO.exe Token: SeIncBasePriorityPrivilege 4952 LetsPRO.exe Token: SeCreatePagefilePrivilege 4952 LetsPRO.exe Token: SeBackupPrivilege 4952 LetsPRO.exe Token: SeRestorePrivilege 4952 LetsPRO.exe Token: SeShutdownPrivilege 4952 LetsPRO.exe Token: SeDebugPrivilege 4952 LetsPRO.exe Token: SeSystemEnvironmentPrivilege 4952 LetsPRO.exe Token: SeRemoteShutdownPrivilege 4952 LetsPRO.exe Token: SeUndockPrivilege 4952 LetsPRO.exe Token: SeManageVolumePrivilege 4952 LetsPRO.exe Token: 33 4952 LetsPRO.exe Token: 34 4952 LetsPRO.exe Token: 35 4952 LetsPRO.exe Token: 36 4952 LetsPRO.exe Token: 33 2224 Phxph.exe Token: SeIncBasePriorityPrivilege 2224 Phxph.exe Token: 33 2224 Phxph.exe Token: SeIncBasePriorityPrivilege 2224 Phxph.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe 4952 LetsPRO.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1096 letsvpn-latest.exe 3264 tapinstall.exe 4904 tapinstall.exe 4800 tapinstall.exe 3472 LetsPRO.exe 2060 LetsPRO.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 216 wrote to memory of 1096 216 f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe 82 PID 216 wrote to memory of 1096 216 f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe 82 PID 216 wrote to memory of 1096 216 f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe 82 PID 216 wrote to memory of 4908 216 f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe 84 PID 216 wrote to memory of 4908 216 f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe 84 PID 216 wrote to memory of 4908 216 f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe 84 PID 4908 wrote to memory of 2224 4908 csrss.exe 85 PID 4908 wrote to memory of 2224 4908 csrss.exe 85 PID 4908 wrote to memory of 2224 4908 csrss.exe 85 PID 4908 wrote to memory of 3820 4908 csrss.exe 86 PID 4908 wrote to memory of 3820 4908 csrss.exe 86 PID 4908 wrote to memory of 3820 4908 csrss.exe 86 PID 3820 wrote to memory of 4532 3820 cmd.exe 88 PID 3820 wrote to memory of 4532 3820 cmd.exe 88 PID 3820 wrote to memory of 4532 3820 cmd.exe 88 PID 1096 wrote to memory of 3732 1096 letsvpn-latest.exe 96 PID 1096 wrote to memory of 3732 1096 letsvpn-latest.exe 96 PID 1096 wrote to memory of 3732 1096 letsvpn-latest.exe 96 PID 1096 wrote to memory of 3264 1096 letsvpn-latest.exe 99 PID 1096 wrote to memory of 3264 1096 letsvpn-latest.exe 99 PID 1096 wrote to memory of 4904 1096 letsvpn-latest.exe 101 PID 1096 wrote to memory of 4904 1096 letsvpn-latest.exe 101 PID 2164 wrote to memory of 5000 2164 svchost.exe 104 PID 2164 wrote to memory of 5000 2164 svchost.exe 104 PID 2164 wrote to memory of 2504 2164 svchost.exe 105 PID 2164 wrote to memory of 2504 2164 svchost.exe 105 PID 1096 wrote to memory of 4800 1096 letsvpn-latest.exe 108 PID 1096 wrote to memory of 4800 1096 letsvpn-latest.exe 108 PID 1096 wrote to memory of 412 1096 letsvpn-latest.exe 110 PID 1096 wrote to memory of 412 1096 letsvpn-latest.exe 110 PID 1096 wrote to memory of 412 1096 letsvpn-latest.exe 110 PID 412 wrote to memory of 4448 412 cmd.exe 112 PID 412 wrote to memory of 4448 412 cmd.exe 112 PID 412 wrote to memory of 4448 412 cmd.exe 112 PID 1096 wrote to memory of 4384 1096 letsvpn-latest.exe 113 PID 1096 wrote to memory of 4384 1096 letsvpn-latest.exe 113 PID 1096 wrote to memory of 4384 1096 letsvpn-latest.exe 113 PID 4384 wrote to memory of 3376 4384 cmd.exe 115 PID 4384 wrote to memory of 3376 4384 cmd.exe 115 PID 4384 wrote to memory of 3376 4384 cmd.exe 115 PID 1096 wrote to memory of 2844 1096 letsvpn-latest.exe 116 PID 1096 wrote to memory of 2844 1096 letsvpn-latest.exe 116 PID 1096 wrote to memory of 2844 1096 letsvpn-latest.exe 116 PID 2844 wrote to memory of 5088 2844 cmd.exe 118 PID 2844 wrote to memory of 5088 2844 cmd.exe 118 PID 2844 wrote to memory of 5088 2844 cmd.exe 118 PID 1096 wrote to memory of 2448 1096 letsvpn-latest.exe 119 PID 1096 wrote to memory of 2448 1096 letsvpn-latest.exe 119 PID 1096 wrote to memory of 2448 1096 letsvpn-latest.exe 119 PID 2448 wrote to memory of 4240 2448 cmd.exe 121 PID 2448 wrote to memory of 4240 2448 cmd.exe 121 PID 2448 wrote to memory of 4240 2448 cmd.exe 121 PID 1096 wrote to memory of 4784 1096 letsvpn-latest.exe 122 PID 1096 wrote to memory of 4784 1096 letsvpn-latest.exe 122 PID 1096 wrote to memory of 4784 1096 letsvpn-latest.exe 122 PID 4784 wrote to memory of 2752 4784 cmd.exe 124 PID 4784 wrote to memory of 2752 4784 cmd.exe 124 PID 4784 wrote to memory of 2752 4784 cmd.exe 124 PID 1096 wrote to memory of 3472 1096 letsvpn-latest.exe 126 PID 1096 wrote to memory of 3472 1096 letsvpn-latest.exe 126 PID 1096 wrote to memory of 3472 1096 letsvpn-latest.exe 126 PID 3472 wrote to memory of 4284 3472 LetsPRO.exe 127 PID 3472 wrote to memory of 4284 3472 LetsPRO.exe 127 PID 3472 wrote to memory of 4284 3472 LetsPRO.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe"C:\Users\Admin\AppData\Local\Temp\f59fbde32ab1337b3b287588619925fccc1ad42c5acd276ff2cb662e5bf25a2b.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files (x86)\letsvpn-latest.exe"C:\Program Files (x86)\letsvpn-latest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3264
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4800
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3376
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsVPN3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsVPN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4284
-
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4952 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:860
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:1408
-
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:632
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4288
-
-
-
-
-
-
C:\Program Files (x86)\csrss.exe"C:\Program Files (x86)\csrss.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phxph.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phxph.exe"3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~2\csrss.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4532
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0d82bd84-d425-7b42-8116-a11f59cb1fc5}\oemvista.inf" "9" "4d14a44ff" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\letsvpn\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5000
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000100"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:4516
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Discovery
Network Service Discovery
1Peripheral Device Discovery
2Query Registry
5Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD505258c560c2cba1b8b59b3db4e612da6
SHA134f9bff2a5b66e311017f00e09c954cfbbd66f8a
SHA25629be5508137a704cc968c3a0ad4afcc938a1dd4b1e6838ce091b76e4da7ee3ce
SHA512759f59b381641fa8ca95a35dea8bfe85872cfe576892bc03ebc6c50dda43db734876f320dd6d85a6d57fa23c060920c655d09488712be9e7376433d634600259
-
Filesize
14.8MB
MD59f5f358aa1a85d222ad967f4538bc753
SHA1567404faec3641f4df889c2c92164cee92723741
SHA256eb11627e59757105bddb884540854d56b173fe42417878de4e7d246cac92c932
SHA512d5a4c4b343704b96c98183d13d90e37065c8be0d0ed053696fb28b5e29f1432175d5e9f63c2d2879c3eb3541e4822a64ae7bfa2230c0c00b5c3ada0a1ac82bed
-
Filesize
318B
MD5b34636a4e04de02d079ba7325e7565f0
SHA1f32c1211eac22409bb195415cb5a8063431f75cd
SHA256a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df
SHA5126eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f
-
Filesize
242KB
MD53530cb1b45ff13ba4456e4ffbcae6379
SHA15be7b8e19418212a5a93e900c12830facfd6ba54
SHA256e0669b6312baaef6a3c86f3142b333eab48494511405398bb09cc464881a43c9
SHA51223baae23815fc946203be6d93cef84ff23fde8ed88017179c65b7de1f3b6114bc8343c277b8ae5a1d85aa59f25b5f146c1d827b7e4617bfd0aa0ff20359f49b5
-
Filesize
33B
MD5862d9ed729f9bd1209a13c49c8388cfc
SHA118c5c6faaec66d790893dd34d6a415879e36e92c
SHA256a21ed21b8c02ad37840fb4374873858f650a7ebe9c29789d2562b51f30c2922b
SHA51233c78de82c4b449b59beba7bc7f700f5a9e271007b7d79a95c99f994cc15c151fd25471dd8682beb06c55d4bb282e7890282947c8cd16419311e911900005fe5
-
Filesize
111KB
MD5c5485166b86b4cd6de97c4dc8d0fbefb
SHA1c047f339399098e7e4bf92ef7a8f38c1e5d5054d
SHA25621678620bf5e7b4c8481270594b0a36615be6152ca7a9396487364712236a3d5
SHA51233efda5903587d17a698bfaec6e5c119d4adcfc23ea1588f2b155ffcba88761e40e1db791f545a064effdc63e6ba7aa68027c96b4a632331c0ea7297ac093f26
-
Filesize
1.5MB
MD556162a01d3de7cb90eb9a2222c6b8f24
SHA1c4c10199b5f7d50d641d115f9d049832ec836785
SHA256a41077ed210d8d454d627d15663b7523c33e6f7386cd920a56fbcfbb0a37547d
SHA51223c4aac046ffdecaa64acbee9579634c419202be43463927dfabf9798ded17b1b7a1199f1db54e247d28d82f39f3f352ac3acbade2118c67717fd37260bd8b4f
-
Filesize
26KB
MD511752aa56f176fbbbf36420ec8db613a
SHA10affc2837cee71750450911d11968e0692947f13
SHA256d66328eb01118a727e919b52318562094f2ff593bd33e5d3aab5e73602388dfa
SHA512ed78045e4b6b85a1a0557c2ccd85a27e90defc48e50d2833d3d8d23526dc8d1040a64e883cb42aea3052d499ea4c95e775384ae710b1222191ead6f8b0e0b560
-
Filesize
22KB
MD54fb031cb8840ee01cb6aa90696557143
SHA1b009c8c975929b73dd977969e6816066d57f39c6
SHA25664b09932ef5b25f5c2c185fe955c7784ab23cdf7d12fdad77fe05947e20006ba
SHA51203731c0f6423f2fa3d6710b86c7cc41aa970058b818ab724321040984841dc451109638c813d564cb89dd00af3962e84811aed5a3b37ae9a1b9c1febeb85ae60
-
Filesize
695KB
MD53b3f8e087fc13a4b7bc9cf7dbba4ed9b
SHA1321e0d0c5c275f2f57af78bc465535a923d2427c
SHA256ae71f96b5316a5b8eff90f2da4c9b55c57fb6a74193f380deb38e49fe1010dde
SHA512f823d1460eb52fd039c248e6353587adb2b78ca9ef988aa9ec7402c428fc3f178d099d5ecd106fdd9e2e051d87db4a799cd3de51c402e5c79e5014e6c8c6a6b5
-
Filesize
127KB
MD50e444739d07678a3f6ea4202c4237832
SHA10689c9cdad379b4b0952674a7bf75a5a1f2f33a9
SHA256a3aab8ca7b0747242207d1223e241e602b45ba69f25ba5b611a12eeacd19ec1a
SHA51285f6d4920d93f8ee2bb7a384424c9eea25cc5591bf7a7301bdc31170944549b3860a90c5694f194ee0f9cd85f0ea053e89039f95ff806b735e526d583ee7e0bf
-
Filesize
1KB
MD57a7521bc7f838610905ce0286324ce39
SHA18ab90dd0c4b6edb79a6af2233340d0f59e9ac195
SHA2562a322178557c88cc3c608101e8fc84bfd2f8fa9b81483a443bb3d09779de218d
SHA512b25dfdce0977eaf7159df5eabe4b147a6c0adac39c84d1c7a9fe748446a10c8d2e20d04cf36221057aa210633df65f2a460821c8c79a2db16c912ec53a714d83
-
Filesize
275KB
MD5c5098ff401b766e6e554499d37d0b716
SHA1fd4c3df050ec2b30740e2d62b27a9e375401f190
SHA256b015c62c09b4033d0a4caae36f3a9804a8cee2549145e199ada5a9bf51095e0d
SHA51204f3261ed8d59e5e8455d868cb7ceef97466fb4fc57a98544024f53c4ba9d935e9441169f0705877cf3578f2ef4fc1b54921e9e15ecc70003c67452ae1393f01
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
2KB
MD572144e1e4d46d0ccfb961c95394d4ffe
SHA105507f12fdc30a390d76e4cd266f411ee5916f14
SHA2568471254ad241b8bbf04593d0f07bbd3bcef00a4c0393392851ae25e5e40d216d
SHA512d12ed1381607db2694b808c9228998c37929f3b2201ae418a132999ce22e34b323ba705cedd8d28ba1b81134180981d03349307d3945e1e6b3fee91af82920a1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
Filesize
9KB
MD5b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA115ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA25689a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA5126467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8
-
Filesize
7KB
MD511092c1d3fbb449a60695c44f9f3d183
SHA1b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA2562cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
Filesize
10KB
MD5f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe
