redline | hxxps://goo-gl[.]ru/ptHYa

Analysis

max time kernel
567s
max time network
570s
platform
windows10_x64
resource
win10v20201028
submitted
10-03-2021 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://goo-gl.ru/ptHYa
Sample

210310-lga9r7qtf6

Score

10^/10

redline bootkit discovery infostealer persistence upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4532-110-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/4532-111-0x000000000041F38E-mapping.dmp	family_redline
behavioral1/memory/4088-149-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/4088-150-0x000000000041F38E-mapping.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1396 created 4604 1396 WerFault.exe 9HHytXbBNDOTS5.exe

description	pid	process	target process
PID 1396 created 4604	1396	WerFault.exe	9HHytXbBNDOTS5.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\ApiTool.dll	acprotect
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\ApiTool.dll	acprotect

Blocklisted process makes network request 7 IoCs

Processes:

MsiExec.exe

flow pid process

128 2200 MsiExec.exe
129 2200 MsiExec.exe
134 2200 MsiExec.exe
135 2200 MsiExec.exe
137 2200 MsiExec.exe
128 2200 MsiExec.exe
129 2200 MsiExec.exe

flow	pid	process
128	2200	MsiExec.exe
129	2200	MsiExec.exe
134	2200	MsiExec.exe
135	2200	MsiExec.exe
137	2200	MsiExec.exe
128	2200	MsiExec.exe
129	2200	MsiExec.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\SETF964.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF964.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Executes dropped EXE 18 IoCs

Processes:

sigma_519113452.tmpArchitecto.exeH7TmAucOwDdlT4JLMW.exevpn.exe1499884026.exevpn.tmp9HHytXbBNDOTS5.exe749307645.exe7EoQL20.exetapinstall.exetapinstall.exemask_svc.exemask_svc.exemask_svc.exesetup.exeaipackagechainer.exeWeather_Installation.exeWeather.exe

pid	process
4480	sigma_519113452.tmp
2312	Architecto.exe
4808	H7TmAucOwDdlT4JLMW.exe
3944	vpn.exe
4404	1499884026.exe
2920	vpn.tmp
4604	9HHytXbBNDOTS5.exe
3976	749307645.exe
3140	7EoQL20.exe
1176	tapinstall.exe
2176	tapinstall.exe
2108	mask_svc.exe
4956	mask_svc.exe
5092	mask_svc.exe
2804	setup.exe
2132	aipackagechainer.exe
4832	Weather_Installation.exe
4616	Weather.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\ApiTool.dll	upx
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\ApiTool.dll	upx

Loads dropped DLL 43 IoCs

Processes:

sigma_519113452.tmpvpn.tmp7EoQL20.exeMsiExec.exeMsiExec.exemask_svc.exeWeather_Installation.exeWeather.exe

pid	process
4480	sigma_519113452.tmp
4480	sigma_519113452.tmp
4480	sigma_519113452.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
3140	7EoQL20.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
2200	MsiExec.exe
5092	mask_svc.exe
5092	mask_svc.exe
5092	mask_svc.exe
5092	mask_svc.exe
5092	mask_svc.exe
5092	mask_svc.exe
2920	vpn.tmp
2920	vpn.tmp
4832	Weather_Installation.exe
4832	Weather_Installation.exe
4832	Weather_Installation.exe
4832	Weather_Installation.exe
4832	Weather_Installation.exe
4832	Weather_Installation.exe
4616	Weather.exe
4832	Weather_Installation.exe
4616	Weather.exe
4616	Weather.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Weather_Installation.exeaipackagechainer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --anbfs"	Weather_Installation.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Weather_Installation.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe7EoQL20.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	7EoQL20.exe
File opened (read-only)	\??\H:	7EoQL20.exe
File opened (read-only)	\??\J:	7EoQL20.exe
File opened (read-only)	\??\L:	7EoQL20.exe
File opened (read-only)	\??\N:	7EoQL20.exe
File opened (read-only)	\??\V:	7EoQL20.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	7EoQL20.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	7EoQL20.exe
File opened (read-only)	\??\T:	7EoQL20.exe
File opened (read-only)	\??\W:	7EoQL20.exe
File opened (read-only)	\??\X:	7EoQL20.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	7EoQL20.exe
File opened (read-only)	\??\K:	7EoQL20.exe
File opened (read-only)	\??\U:	7EoQL20.exe
File opened (read-only)	\??\Z:	7EoQL20.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	7EoQL20.exe
File opened (read-only)	\??\M:	7EoQL20.exe
File opened (read-only)	\??\Q:	7EoQL20.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	7EoQL20.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	7EoQL20.exe
File opened (read-only)	\??\R:	7EoQL20.exe
File opened (read-only)	\??\S:	7EoQL20.exe
File opened (read-only)	\??\Y:	7EoQL20.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	7EoQL20.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	setup.exe

Drops file in System32 directory 17 IoCs

Processes:

WerFault.exetapinstall.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}	WerFault.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\SETF454.tmp	WerFault.exe
File created	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\SETF454.tmp	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\SETF455.tmp	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\tap0901.sys	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	WerFault.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\tap0901.cat	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\oemvista.inf	WerFault.exe
File created	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\SETF455.tmp	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\SETF456.tmp	WerFault.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	WerFault.exe
File created	C:\Windows\System32\DriverStore\Temp\{144981c6-8099-4441-88e8-961dc1a65a40}\SETF456.tmp	WerFault.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	WerFault.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	WerFault.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

2108 mask_svc.exe
4956 mask_svc.exe
5092 mask_svc.exe

pid	process
2108	mask_svc.exe
4956	mask_svc.exe
5092	mask_svc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1499884026.exe749307645.exe

description	pid	process	target process
PID 4404 set thread context of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 3976 set thread context of 4088	3976	749307645.exe	AddInProcess32.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpsigma_519113452.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2TD7D.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-HNQ5T.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VJSQE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-NB01D.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-016EP.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rem\tenetur\is-5B5HK.tmp	sigma_519113452.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T8U6B.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-4P4OF.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Rem\inventore\Architecto.exe	sigma_519113452.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-RMEH8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3SSI0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-M9IG3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-AJRRB.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JT45L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-IQVR0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3HGER.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0F3K8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-E3E9R.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rem\is-V99PC.tmp	sigma_519113452.tmp
File created	C:\Program Files (x86)\Rem\inventore\is-MFDA9.tmp	sigma_519113452.tmp
File created	C:\Program Files (x86)\MaskVPN\is-K0P2L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8B9SP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8801P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-RCBBV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QTBPQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MV6KN.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rem\inventore\is-HJ58J.tmp	sigma_519113452.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-AL1HH.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-1FM48.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-8L6ET.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-ALUEJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rem\inventore\is-O0F81.tmp	sigma_519113452.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TGL1T.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-LJLMR.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rem\unins000.dat	sigma_519113452.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-FP8QM.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Rem\inventore\sqlite3.dll	sigma_519113452.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JE53F.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SHGRF.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\Rem\inventore\is-Q4BLL.tmp	sigma_519113452.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-FF8FL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-9A5DG.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rem\inventore\is-H6J5P.tmp	sigma_519113452.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q6CJ8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-332UR.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-NGFGF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-DOT94.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File created	C:\Program Files (x86)\Rem\is-TS2KJ.tmp	sigma_519113452.tmp
File created	C:\Program Files (x86)\Rem\is-RJOOB.tmp	sigma_519113452.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp

Drops file in Windows directory 26 IoCs

Processes:

msiexec.exeWerFault.exeDrvInst.exeaipackagechainer.exetapinstall.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI7DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI100D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID663.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	WerFault.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7603e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1137.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BD9.tmp	msiexec.exe
File created	C:\Windows\Tasks\.job	aipackagechainer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\Installer\f7603e4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B6A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DBE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	WerFault.exe
File created	C:\Windows\inf\oem2.inf	WerFault.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FB4.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 54 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2908	2312	WerFault.exe	Architecto.exe
3160	2312	WerFault.exe	Architecto.exe
3864	2312	WerFault.exe	Architecto.exe
2864	2312	WerFault.exe	Architecto.exe
4592	2312	WerFault.exe	Architecto.exe
2476	2312	WerFault.exe	Architecto.exe
4320	2312	WerFault.exe	Architecto.exe
1568	2312	WerFault.exe	Architecto.exe
2184	2312	WerFault.exe	Architecto.exe
3720	2312	WerFault.exe	Architecto.exe
1520	2312	WerFault.exe	Architecto.exe
3136	2312	WerFault.exe	Architecto.exe
4456	2312	WerFault.exe	Architecto.exe
4920	2312	WerFault.exe	Architecto.exe
4824	2312	WerFault.exe	Architecto.exe
3972	2312	WerFault.exe	Architecto.exe
440	2312	WerFault.exe	Architecto.exe
4148	2312	WerFault.exe	Architecto.exe
1016	2312	WerFault.exe	Architecto.exe
1008	2312	WerFault.exe	Architecto.exe
828	2312	WerFault.exe	Architecto.exe
376	2312	WerFault.exe	Architecto.exe
4780	2312	WerFault.exe	Architecto.exe
2188	2312	WerFault.exe	Architecto.exe
2144	2312	WerFault.exe	Architecto.exe
4860	2312	WerFault.exe	Architecto.exe
1152	2312	WerFault.exe	Architecto.exe
3464	2312	WerFault.exe	Architecto.exe
4112	2312	WerFault.exe	Architecto.exe
1248	2312	WerFault.exe	Architecto.exe
4828	2312	WerFault.exe	Architecto.exe
4732	2312	WerFault.exe	Architecto.exe
4296	2312	WerFault.exe	Architecto.exe
4080	2312	WerFault.exe	Architecto.exe
2984	2312	WerFault.exe	Architecto.exe
4620	2312	WerFault.exe	Architecto.exe
4448	2312	WerFault.exe	Architecto.exe
1564	2312	WerFault.exe	Architecto.exe
5036	2312	WerFault.exe	Architecto.exe
3304	2312	WerFault.exe	Architecto.exe
4708	2312	WerFault.exe	Architecto.exe
1596	2312	WerFault.exe	Architecto.exe
2192	2312	WerFault.exe	Architecto.exe
2856	2312	WerFault.exe	Architecto.exe
4084	4604	WerFault.exe	9HHytXbBNDOTS5.exe
1572	2312	WerFault.exe	Architecto.exe
3932	2312	WerFault.exe	Architecto.exe
4984	4604	WerFault.exe	9HHytXbBNDOTS5.exe
4056	2312	WerFault.exe	Architecto.exe
4568	4604	WerFault.exe	9HHytXbBNDOTS5.exe
4788	4604	WerFault.exe	9HHytXbBNDOTS5.exe
3676	4604	WerFault.exe	9HHytXbBNDOTS5.exe
2024	4604	WerFault.exe	9HHytXbBNDOTS5.exe
1396	4604	WerFault.exe	9HHytXbBNDOTS5.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exeWerFault.exetapinstall.exetapinstall.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1636 timeout.exe
1720 timeout.exe

pid	process
1636	timeout.exe
1720	timeout.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = de4ef1e88fadd601	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01d0d2ebe15d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea33d17be50111448cf1e90bd1c2b2c50000000002000000000010660000000100002000000069abed84a28ea0f9dc20b89f70be964f0ff23c6e92f39d49bdc22623b9d765bc000000000e800000000200002000000094574c780ed521b23f8061a94d294ced4478e456315a135736bf1967a915b48920000000ce560a96641fa95298c1684d26a2a1157683e2bd04712ac665d28e520d5878ca400000000e9f1b0f361668771b33ba4fcc72a9d418d578dd2fec57e4768b214b9c0d3f087702f1470b4261024e8b1dc1cbb84343bf368606a101e14aa2dc353a0c198471	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{A1E804D9-86B5-4BD4-949C-5949BD8CC015}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c5a43cbe15d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "322153399"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30873022"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea33d17be50111448cf1e90bd1c2b2c500000000020000000000106600000001000020000000b1a3260b1508d9d60d08312fd204fc37ecf915fcd3bbe7f3e73f13f9213807e2000000000e8000000002000020000000deb0f14fb3b6296315e8fc85395443938123e16c81311bd6967ba1a4712587fb200000002ff5461722f63e569502177512c47090903178a3d93b9f640a5a521ab97fb16d40000000f043d967e980cc45d6bcb9f02450dacfc4d4f90e49f5d7102982dfddb8c7a530b2bf540a5c323cb149ce635dc33624b749c01bd9a92168bad1f0bc01c162a530	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "730426712"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30873022"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "742301769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6078043abe15d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea33d17be50111448cf1e90bd1c2b2c500000000020000000000106600000001000020000000a2c88e2b1e3e3b31528e7f2b7ce9f487b641d2e194dbb64537566c680267e536000000000e8000000002000020000000cb438fba857f40bc33eed4f501ee3cb7fb52cc454b6409070b66c938e56ad9c220000000df70c9be20444a63db5ed3bba9ca347d02b797c9f3dd2f17e99900f8180d7c4340000000235f26e29994ad64cd6f6dfa6a0163297c52ad0d2796c299db15e8fcbe7d0f34b52e7df99789e339217e42f01be807ad5062718c03af8b1a3bbbfa4fd552cbee	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "322201984"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{570F1F0A-81B1-11EB-BEBD-EEE2FDE4DDD4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "730426712"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70bf1d2ebe15d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea33d17be50111448cf1e90bd1c2b2c500000000020000000000106600000001000020000000c0f97779e91e7d094291aea2c0f45d41c8b6c9e73563da8a15fcd6d2028ef829000000000e80000000020000200000003dad49b08ba0664f331ed929b6ca6a7c32da4c8e79a159dcec283e848acf44a32000000062781edfabc2e0481fd4d51a6257ac02e3a0d2feced5801bfe67a8da8a3176be40000000454a6893150e6a34d577f53d13d39bd7307c1176466ef794330db282c386ac9ed74e6f9100e5a39b1eeaa0d5b9a4cbe84e2c87e74c807b36eb84abf93354912c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\failzoma.ru\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30873022"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\failzoma.ru	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "322169993"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exeWerFault.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	mask_svc.exe

Modifies registry class 7 IoCs

Processes:

iexplore.exeArchitecto.exevpn.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Architecto.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7EoQL20.exetapinstall.exeH7TmAucOwDdlT4JLMW.exevpn.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	7EoQL20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	H7TmAucOwDdlT4JLMW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	7EoQL20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	7EoQL20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	7EoQL20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	7EoQL20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	7EoQL20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	H7TmAucOwDdlT4JLMW.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	7EoQL20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	7EoQL20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	7EoQL20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3968 PING.EXE

pid	process
3968	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sigma_519113452.tmpArchitecto.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4480	sigma_519113452.tmp
4480	sigma_519113452.tmp
2312	Architecto.exe
2312	Architecto.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1499884026.exevpn.tmpWerFault.exeWerFault.exeWerFault.exeWerFault.exe749307645.exeWerFault.exeWerFault.exeWerFault.exemsiexec.exeWerFault.exe7EoQL20.exe

description	pid	process
Token: SeRestorePrivilege	2908	WerFault.exe
Token: SeBackupPrivilege	2908	WerFault.exe
Token: SeDebugPrivilege	2908	WerFault.exe
Token: SeDebugPrivilege	3160	WerFault.exe
Token: SeDebugPrivilege	3864	WerFault.exe
Token: SeDebugPrivilege	2864	WerFault.exe
Token: SeDebugPrivilege	4592	WerFault.exe
Token: SeDebugPrivilege	2476	WerFault.exe
Token: SeDebugPrivilege	4320	WerFault.exe
Token: SeDebugPrivilege	1568	WerFault.exe
Token: SeDebugPrivilege	2184	WerFault.exe
Token: SeDebugPrivilege	3720	WerFault.exe
Token: SeDebugPrivilege	1520	WerFault.exe
Token: SeDebugPrivilege	3136	WerFault.exe
Token: SeDebugPrivilege	4456	WerFault.exe
Token: SeDebugPrivilege	4920	WerFault.exe
Token: SeDebugPrivilege	4824	WerFault.exe
Token: SeDebugPrivilege	3972	WerFault.exe
Token: SeDebugPrivilege	440	WerFault.exe
Token: SeDebugPrivilege	4148	WerFault.exe
Token: SeDebugPrivilege	1016	WerFault.exe
Token: SeDebugPrivilege	1008	WerFault.exe
Token: SeDebugPrivilege	828	WerFault.exe
Token: SeDebugPrivilege	376	WerFault.exe
Token: SeDebugPrivilege	4780	WerFault.exe
Token: SeDebugPrivilege	2188	WerFault.exe
Token: SeDebugPrivilege	2144	WerFault.exe
Token: SeDebugPrivilege	4860	WerFault.exe
Token: SeDebugPrivilege	1152	WerFault.exe
Token: SeDebugPrivilege	3464	WerFault.exe
Token: SeDebugPrivilege	4112	WerFault.exe
Token: SeDebugPrivilege	1248	WerFault.exe
Token: SeDebugPrivilege	4828	WerFault.exe
Token: SeDebugPrivilege	4732	WerFault.exe
Token: SeDebugPrivilege	4296	WerFault.exe
Token: SeDebugPrivilege	4080	WerFault.exe
Token: SeDebugPrivilege	2984	WerFault.exe
Token: SeDebugPrivilege	4404	1499884026.exe
Token: SeDebugPrivilege	2920	vpn.tmp
Token: SeDebugPrivilege	2920	vpn.tmp
Token: SeDebugPrivilege	4620	WerFault.exe
Token: SeDebugPrivilege	4448	WerFault.exe
Token: SeDebugPrivilege	1564	WerFault.exe
Token: SeDebugPrivilege	5036	WerFault.exe
Token: SeDebugPrivilege	3976	749307645.exe
Token: SeDebugPrivilege	3304	WerFault.exe
Token: SeDebugPrivilege	4708	WerFault.exe
Token: SeDebugPrivilege	1596	WerFault.exe
Token: SeSecurityPrivilege	4700	msiexec.exe
Token: SeDebugPrivilege	2192	WerFault.exe
Token: SeCreateTokenPrivilege	3140	7EoQL20.exe
Token: SeAssignPrimaryTokenPrivilege	3140	7EoQL20.exe
Token: SeLockMemoryPrivilege	3140	7EoQL20.exe
Token: SeIncreaseQuotaPrivilege	3140	7EoQL20.exe
Token: SeMachineAccountPrivilege	3140	7EoQL20.exe
Token: SeTcbPrivilege	3140	7EoQL20.exe
Token: SeSecurityPrivilege	3140	7EoQL20.exe
Token: SeTakeOwnershipPrivilege	3140	7EoQL20.exe
Token: SeLoadDriverPrivilege	3140	7EoQL20.exe
Token: SeSystemProfilePrivilege	3140	7EoQL20.exe
Token: SeSystemtimePrivilege	3140	7EoQL20.exe
Token: SeProfSingleProcessPrivilege	3140	7EoQL20.exe
Token: SeIncBasePriorityPrivilege	3140	7EoQL20.exe
Token: SeCreatePagefilePrivilege	3140	7EoQL20.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exesigma_519113452.tmpvpn.tmp7EoQL20.exe

pid	process
4640	iexplore.exe
4640	iexplore.exe
4480	sigma_519113452.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
3140	7EoQL20.exe
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp
2920	vpn.tmp

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEsetup.exe

pid	process
4640	iexplore.exe
4640	iexplore.exe
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
5020	IEXPLORE.EXE
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
2804	setup.exe
2804	setup.exe
2804	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exesigma_519113452.exesigma_519113452.tmpArchitecto.exeH7TmAucOwDdlT4JLMW.exevpn.exe1499884026.exevpn.tmpcmd.execmd.exe749307645.exemsiexec.exe

description	pid	process	target process
PID 4640 wrote to memory of 5020	4640	iexplore.exe	IEXPLORE.EXE
PID 4640 wrote to memory of 5020	4640	iexplore.exe	IEXPLORE.EXE
PID 4640 wrote to memory of 5020	4640	iexplore.exe	IEXPLORE.EXE
PID 4640 wrote to memory of 1392	4640	iexplore.exe	IEXPLORE.EXE
PID 4640 wrote to memory of 1392	4640	iexplore.exe	IEXPLORE.EXE
PID 4640 wrote to memory of 1392	4640	iexplore.exe	IEXPLORE.EXE
PID 4356 wrote to memory of 4480	4356	sigma_519113452.exe	sigma_519113452.tmp
PID 4356 wrote to memory of 4480	4356	sigma_519113452.exe	sigma_519113452.tmp
PID 4356 wrote to memory of 4480	4356	sigma_519113452.exe	sigma_519113452.tmp
PID 4480 wrote to memory of 2312	4480	sigma_519113452.tmp	Architecto.exe
PID 4480 wrote to memory of 2312	4480	sigma_519113452.tmp	Architecto.exe
PID 4480 wrote to memory of 2312	4480	sigma_519113452.tmp	Architecto.exe
PID 2312 wrote to memory of 4808	2312	Architecto.exe	H7TmAucOwDdlT4JLMW.exe
PID 2312 wrote to memory of 4808	2312	Architecto.exe	H7TmAucOwDdlT4JLMW.exe
PID 2312 wrote to memory of 4808	2312	Architecto.exe	H7TmAucOwDdlT4JLMW.exe
PID 2312 wrote to memory of 3944	2312	Architecto.exe	vpn.exe
PID 2312 wrote to memory of 3944	2312	Architecto.exe	vpn.exe
PID 2312 wrote to memory of 3944	2312	Architecto.exe	vpn.exe
PID 4808 wrote to memory of 4404	4808	H7TmAucOwDdlT4JLMW.exe	1499884026.exe
PID 4808 wrote to memory of 4404	4808	H7TmAucOwDdlT4JLMW.exe	1499884026.exe
PID 4808 wrote to memory of 4404	4808	H7TmAucOwDdlT4JLMW.exe	1499884026.exe
PID 3944 wrote to memory of 2920	3944	vpn.exe	vpn.tmp
PID 3944 wrote to memory of 2920	3944	vpn.exe	vpn.tmp
PID 3944 wrote to memory of 2920	3944	vpn.exe	vpn.tmp
PID 2312 wrote to memory of 4604	2312	Architecto.exe	9HHytXbBNDOTS5.exe
PID 2312 wrote to memory of 4604	2312	Architecto.exe	9HHytXbBNDOTS5.exe
PID 2312 wrote to memory of 4604	2312	Architecto.exe	9HHytXbBNDOTS5.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4404 wrote to memory of 4532	4404	1499884026.exe	AddInProcess32.exe
PID 4808 wrote to memory of 3976	4808	H7TmAucOwDdlT4JLMW.exe	749307645.exe
PID 4808 wrote to memory of 3976	4808	H7TmAucOwDdlT4JLMW.exe	749307645.exe
PID 4808 wrote to memory of 3976	4808	H7TmAucOwDdlT4JLMW.exe	749307645.exe
PID 2312 wrote to memory of 3140	2312	Architecto.exe	7EoQL20.exe
PID 2312 wrote to memory of 3140	2312	Architecto.exe	7EoQL20.exe
PID 2312 wrote to memory of 3140	2312	Architecto.exe	7EoQL20.exe
PID 2920 wrote to memory of 4752	2920	vpn.tmp	cmd.exe
PID 2920 wrote to memory of 4752	2920	vpn.tmp	cmd.exe
PID 2920 wrote to memory of 4752	2920	vpn.tmp	cmd.exe
PID 4752 wrote to memory of 1176	4752	cmd.exe	tapinstall.exe
PID 4752 wrote to memory of 1176	4752	cmd.exe	tapinstall.exe
PID 2920 wrote to memory of 4812	2920	vpn.tmp	cmd.exe
PID 2920 wrote to memory of 4812	2920	vpn.tmp	cmd.exe
PID 2920 wrote to memory of 4812	2920	vpn.tmp	cmd.exe
PID 4812 wrote to memory of 2176	4812	cmd.exe	tapinstall.exe
PID 4812 wrote to memory of 2176	4812	cmd.exe	tapinstall.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 3976 wrote to memory of 4088	3976	749307645.exe	AddInProcess32.exe
PID 4808 wrote to memory of 4560	4808	H7TmAucOwDdlT4JLMW.exe	cmd.exe
PID 4808 wrote to memory of 4560	4808	H7TmAucOwDdlT4JLMW.exe	cmd.exe
PID 4808 wrote to memory of 4560	4808	H7TmAucOwDdlT4JLMW.exe	cmd.exe
PID 4700 wrote to memory of 4516	4700	msiexec.exe	MsiExec.exe
PID 4700 wrote to memory of 4516	4700	msiexec.exe	MsiExec.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4396 attrib.exe
4892 attrib.exe

pid	process
4396	attrib.exe
4892	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://goo-gl.ru/ptHYa
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4640 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4640 CREDAT:148483 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\Temp1_sigma_519113452.zip\sigma_519113452.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_sigma_519113452.zip\sigma_519113452.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Local\Temp\is-N5NQ7.tmp\sigma_519113452.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N5NQ7.tmp\sigma_519113452.tmp" /SL5="$30302,2818535,119296,C:\Users\Admin\AppData\Local\Temp\Temp1_sigma_519113452.zip\sigma_519113452.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4480

C:\Program Files (x86)\Rem\inventore\Architecto.exe
"C:\Program Files (x86)\Rem/\inventore\Architecto.exe" 536e20add075c9d78ad2c1422a6f9ec4
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 840
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 816
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 888
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 980
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1020
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 960
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1052
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1076
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1128
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1156
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 996
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1528
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1504
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1608
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1596
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1504
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 948
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1756
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1588
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1760
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1812
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1832
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1868
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1728
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1900
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1980
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1976
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1936
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1888
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1940
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1916
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1920
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\AppData\Local\Temp\BTPHi3h8\H7TmAucOwDdlT4JLMW.exe
C:\Users\Admin\AppData\Local\Temp\BTPHi3h8\H7TmAucOwDdlT4JLMW.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\1499884026.exe
C:\Users\Admin\AppData\Local\Temp\1499884026.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\749307645.exe
C:\Users\Admin\AppData\Local\Temp\749307645.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\BTPHi3h8\H7TmAucOwDdlT4JLMW.exe & exit
5⤵
PID:4560

C:\Windows\SysWOW64\PING.EXE
ping 0
6⤵
- Runs ping.exe
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1816
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1760
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Users\Admin\AppData\Local\Temp\84m3tzia\vpn.exe
C:\Users\Admin\AppData\Local\Temp\84m3tzia\vpn.exe /silent /subid=510x536e20add075c9d78ad2c1422a6f9ec4
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\is-GAUV3.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GAUV3.tmp\vpn.tmp" /SL5="$10440,15170975,270336,C:\Users\Admin\AppData\Local\Temp\84m3tzia\vpn.exe" /silent /subid=510x536e20add075c9d78ad2c1422a6f9ec4
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:2176

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2108

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1524
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1872
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Users\Admin\AppData\Local\Temp\zk0wuKZM\9HHytXbBNDOTS5.exe
C:\Users\Admin\AppData\Local\Temp\zk0wuKZM\9HHytXbBNDOTS5.exe /usthree SUB=536e20add075c9d78ad2c1422a6f9ec4
4⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 652
5⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 700
5⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 768
5⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 812
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Program crash
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 900
5⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 932
5⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1136
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1732
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1872
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1596
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1576
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Users\Admin\AppData\Local\Temp\cqJ8vRss\7EoQL20.exe
C:\Users\Admin\AppData\Local\Temp\cqJ8vRss\7EoQL20.exe /quiet SILENT=1 AF=721__536e20add075c9d78ad2c1422a6f9ec4
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3140

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=721__536e20add075c9d78ad2c1422a6f9ec4 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\cqJ8vRss\7EoQL20.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\cqJ8vRss\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1615129142 /quiet SILENT=1 AF=721__536e20add075c9d78ad2c1422a6f9ec4 " AF="721__536e20add075c9d78ad2c1422a6f9ec4" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
5⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1828
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1864
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1876
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2016
4⤵
- Program crash
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1908
4⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1980
4⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 472
4⤵
- Program crash
PID:4056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1D6C028C202F15A57388029E5E2E1885 C
2⤵
- Loads dropped DLL
PID:4516

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 21AB7C40A379A4619DD4C29C1F70417B
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2200

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:2132

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=721__536e20add075c9d78ad2c1422a6f9ec4 -BF=default -uncf=default
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4832

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE1DDF.bat" "
3⤵
PID:228

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:4396

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE1E1F.bat" "
3⤵
PID:4720

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:4892

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:1636

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4608

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{744d9ad1-5661-074e-856d-72594e507661}\oemvista.inf" "9" "4d14a44ff" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:4788

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:2140

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:1412

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:5092

C:\Users\Admin\Documents\setup.exe
"C:\Users\Admin\Documents\setup.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MaskVPN\driver\win764\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\install.bat
MD5
3a05ce392d84463b43858e26c48f9cbf

SHA1
78f624e2c81c3d745a45477d61749b8452c129f1

SHA256
5b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b

SHA512
8a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Program Files (x86)\Rem\inventore\Architecto.exe
MD5
abec295c82ec5f11f2179b67eb370d5e

SHA1
b21a71fef02a242b9e0f5e7ed3408082d54bed26

SHA256
46cd8b69e61c8a13df0dccac98410be9de61335fb14b0fb77c632e90948a037e

SHA512
ad8c5da603c86d4280fa4d4fe6a3007a703d3c0ef34873d5d6c412a7620af10a59b66b5d1a38b7be33fdd60b6430b3fc4052f24b80c8cf56f5ea25210855596f

Download Submit
C:\Program Files (x86)\Rem\inventore\Architecto.exe
MD5
abec295c82ec5f11f2179b67eb370d5e

SHA1
b21a71fef02a242b9e0f5e7ed3408082d54bed26

SHA256
46cd8b69e61c8a13df0dccac98410be9de61335fb14b0fb77c632e90948a037e

SHA512
ad8c5da603c86d4280fa4d4fe6a3007a703d3c0ef34873d5d6c412a7620af10a59b66b5d1a38b7be33fdd60b6430b3fc4052f24b80c8cf56f5ea25210855596f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
50d07e64e3238da3764e519781a4c457

SHA1
df7812d8516572253185a1a09440450a7719ec1d

SHA256
2d6e623cbde0b5632db298f854119721d4974159da4125481674bfb41c61688e

SHA512
7628988e2822282b47c3796238bd87aac5b73e596fa4b5bfa57746890bc2cddc0e0fb445ddc27b1431c029bcd5d1787f64adb7f777583e7d097a8095832ceb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
4cee81433c0ffbcf97c3b9949360053a

SHA1
837f1b54d8f0563bfebfc41b043ed282d06db277

SHA256
0dc7dcd4eddde284122c5cbb8ed5aaa5b34d6b35a90c0dc2fa5e72ecc7f6485e

SHA512
02337634b958f9855fcf2be26225ee1a1538dd951d4539853b3663d5a784526c3c3a98417053216cf31e85a8e95bcd388696ac1f4ac39c275dc0f4a493ca9c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
9c364bf8a0f6e43c4b8f6ba17ba53580

SHA1
9a4d3a93a1f0620fea084bbc2ccfd6134a43f9e2

SHA256
235804fea5a88c3350ed1cd4857c2950ac6e1b7586e6a23c130c0a06d2ac3f6a

SHA512
10f849127482f85d86e6b7a37e37ae5dd2110f1440aa47373d4feb34375c7a7df74b236f5bcf43bb454edf986203d032f79aabb20612079c52bd83c15551983e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F9C8BE050DD03D62E7AB35100A7DC1EF
MD5
137c9ffb2389a629e3b027e2389fb949

SHA1
df7e95f365b6be2ba4183300b4fb7d809c019ec6

SHA256
acb9295369223900cf3c85e1a1f80e3b77e7daf8703b09d35adcbaef14895a7a

SHA512
346ebc491e1a3ab4c6982b8617697af86680480faeb10425345143e2324cdd508e8413a9b6a0459b6d276158c270e4188e6dbcf243c726aecb694eae8836690e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
4b969f499a279886cb30cf5125c95044

SHA1
3ceeb84e3554fab1e4651ceebc24aeb4fc366ee5

SHA256
ad6ff1fdb5362d8b2ae6c6e3e807b562770e1bd5f0dc5aea6c71f850e0c00024

SHA512
c6d0ef2202f39158fc1104132cfc65ea872706d2875e3d9eae2baa2479edb4cc5a1db69d9a04cfb5dbbc486f9e588fb9093b6ad28d14c3317f2aea99c9b4ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
d5351d1e84392c8b669589f810b5ff67

SHA1
3e5f2eeed86566aedecf5088e6cf0cda6bf3de89

SHA256
44112dcd2ff26f7e72580968cbe7131fc99a4842e1e7ddae77cfed820dc8c9df

SHA512
e06e8e5f7eab9e40c40f1c16a646014f45be95e2a65339a62eebe9e4939422b01d322b801fdc47b2aa005b1d2525f4bca54730096273fd17302a53751f2144e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
55a2170af44a470240dcfc99d9924c3f

SHA1
8beeeb43eb0b57b27d118f1642830936c99ded4d

SHA256
28c437e4e211ddaab0c7159a3390d34f8232da361230bf8713853a517dca9a4c

SHA512
c12f5f4b5824a37b8f40edd41bc751c7f8971b2217851489f3ca8461283c136e779377f0676a3ab81b4aa1fb6e6dee374d1cdd99ee1b3ca95d7793f0f6bc4147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F9C8BE050DD03D62E7AB35100A7DC1EF
MD5
ba0f77e6ee3305e8152ef6a34577c4e7

SHA1
7e0ee8d57198b44db8721f79d23622f3ba2497cc

SHA256
852210e61b2cb74c8564e6b74753fde51c0a3c45de6901508f903642d5b97b07

SHA512
2e0dea22c5c163f9ab287795afcab6371041ae56d1f05c35471fc6904b8f07cf69482ef33535d46bfd773fabbef7f47a773ae5dab660842164eade360060cf39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\sigma_519113452.zip.ompuhhw.partial
MD5
1e693ec7a966ddd46445dc605ad722b9

SHA1
79dfbdcc91e3bb12301623cada63a7862c501cb4

SHA256
2b8fef418dcefa8dbdbba130c915ff9578f523213e5be2019996dc374d576b9d

SHA512
2987f4afbc702f2934a37f2868dc48deca5e3fe1b3c73ad0d12c90f5e8a8a5bb302825aeda520560c418f6f00af37754a05acdd6c7241adfbbcdbeb05baa97cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1E6CK7BD.cookie
MD5
876889e653bbae97d27e1d9e0a9ccfd7

SHA1
131a6ef7d106cefea3438d704e188f675cc1c489

SHA256
438a186f5fce0fdd2a9150d39a2f67d7618497e192a6bb23568de5f0387ffd53

SHA512
cbc5a97eaced0665858384a46cb4ded7d145bc20863063ba3b3921a968bdf7e382ff50ef160651cf56b2a2ed8232ad13ff35b72ef2d305419ba8381ae4eb95f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\30N5NJAH.cookie
MD5
4142c2ddf984cae2edf5f554c1bdd3e8

SHA1
acce43520a91d95ecfcc0dddfa9ac87906d9fb84

SHA256
6c5cd886fd545ea7c6288352c4bd5f80d3ea1a15806bcb21b564f227cec7ab9b

SHA512
fe7b7f8662f744a68eae30547e877ef7cb854a2092ef185e87c0f9ce83e93d753af061c91a69a393e12c1277231fd9bbc320c9845959ebb9c596de1fd948bbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\91GI900X.cookie
MD5
9b939e2aaa7e697c47e0189d453dfa98

SHA1
0a5db86112e44e17422b04f4add0275576ffd017

SHA256
59461d5d49846379d38c8880d9bb6d296b5ce5412daf3256381df1d652f31341

SHA512
88bc8b65294e43fce7a95d77564bf7617536b2beeb3d2c68434f44d8eff9692e72bb6af79ccfb47f927f3bde05e4491b61e6dd0139732a51fa1112d21bf7d151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9I1OQ3R0.cookie
MD5
7cc5d840ce1db9348e05730025057b54

SHA1
428335cdec3b8fadf7eda20c5222cf06239b8fb7

SHA256
5168b8a3d3f34cfe2792834e3199e10497be1e68a03d619b75522fd4594b72af

SHA512
0398de0255cc2774455791188fa88d2cd8ed042df42b574a1d6f6b44e4858bb12cf627962a3d18bf5b0b648bc05120e81838254c20205db2e428f89d336c5cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\U9TYXTQJ.cookie
MD5
65d66eee8b3b8104d2fdcaaed7d57c90

SHA1
84d5d1077d259bff8e75ba3f1632c29ec7d1a755

SHA256
92898f064e9cce8a992f845adca1ec1970cb95eed04c6667e201ab337320d4cb

SHA512
bcf3826eec8b754ddfca76cb9dc9c01e3fa607392acbedf1908602ee4b093da72cc4cfaa4c46e6a3e69ede4ac0b5fa47c002497069f70bf3856d97c26da0a4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VHXZPCHF.cookie
MD5
0054eaba5666f2a07b1528841ac90f70

SHA1
05950e979b04224facee67e493c4f1490976228b

SHA256
3a93d57c27e2b0ded29d201cd87b11648dafaac612499ee5d433d6bd3ce6f767

SHA512
b0fcb4401a60f5bd3857379b12f36eabdd7251fe60c83322b7d43407350ade18c7a13dbc0dc66e73412563defd1025236d2bd3718c3d0a8f4820319fdf40793e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1499884026.exe
MD5
7fc6acd5ea62e19c1f920529b5dd3a47

SHA1
7992101624d2a2773af419144fe2a28edc48a177

SHA256
d2b17fc7e783eb8674ccacac869fde27f3dbe5c02cfd3eb8d83c100c3faf176a

SHA512
0d7515d835db3e3a71579a12504638e8139a9c3bfa23c98a98d8dc1ca7b6eb0fcac8e380d4a4ef5e476bac992de0725576e6b70d9037eedd2d47a4caae1f2590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1499884026.exe
MD5
7fc6acd5ea62e19c1f920529b5dd3a47

SHA1
7992101624d2a2773af419144fe2a28edc48a177

SHA256
d2b17fc7e783eb8674ccacac869fde27f3dbe5c02cfd3eb8d83c100c3faf176a

SHA512
0d7515d835db3e3a71579a12504638e8139a9c3bfa23c98a98d8dc1ca7b6eb0fcac8e380d4a4ef5e476bac992de0725576e6b70d9037eedd2d47a4caae1f2590

Download Submit
C:\Users\Admin\AppData\Local\Temp\749307645.exe
MD5
5d5715e6d88a05857c45ac37f6f1ff30

SHA1
798c96c08f1694d3737779d9da34b3a1b2412269

SHA256
dd6ed83393e86373d04455ef9901cebc8ccdcaf88db0b50972f9f7fa57fb94b9

SHA512
14b7af38112bdb60ae5aece1674195135fdd222fd047cd5d3dcf9ce635641dbed22583d4e22e3a9bffaa276954b1716438a7220634159c6bfda204376ad1c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\749307645.exe
MD5
5d5715e6d88a05857c45ac37f6f1ff30

SHA1
798c96c08f1694d3737779d9da34b3a1b2412269

SHA256
dd6ed83393e86373d04455ef9901cebc8ccdcaf88db0b50972f9f7fa57fb94b9

SHA512
14b7af38112bdb60ae5aece1674195135fdd222fd047cd5d3dcf9ce635641dbed22583d4e22e3a9bffaa276954b1716438a7220634159c6bfda204376ad1c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\84m3tzia\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\84m3tzia\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTPHi3h8\H7TmAucOwDdlT4JLMW.exe
MD5
ea4deb27dc3ac469028845b7357ad724

SHA1
367aa70238370e4bdea65c60f80c083d159dddea

SHA256
e99a09d95411ec9e268c8dfbbb5025b882684e60856fbf483046a50ec12f3eb7

SHA512
9fe8b68c5c94df9453ca29d63e6727461ba7779c380d5479a21e7123bdc4579c704279ca949857c84d8fdd02652cf61df1e9bb3319bfaed151745c24eeeb1096

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTPHi3h8\H7TmAucOwDdlT4JLMW.exe
MD5
ea4deb27dc3ac469028845b7357ad724

SHA1
367aa70238370e4bdea65c60f80c083d159dddea

SHA256
e99a09d95411ec9e268c8dfbbb5025b882684e60856fbf483046a50ec12f3eb7

SHA512
9fe8b68c5c94df9453ca29d63e6727461ba7779c380d5479a21e7123bdc4579c704279ca949857c84d8fdd02652cf61df1e9bb3319bfaed151745c24eeeb1096

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF1A5.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF763.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF86D.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqJ8vRss\7EoQL20.exe
MD5
1a856846f12c83ec2b60e85008092b53

SHA1
13613110f02316be6e9616dc3c8b9d1907c2a594

SHA256
2bda319fd4d0c4c053bc806b10a13575e9f38825c97ce67aa957fcf02cc45138

SHA512
51b2e0c89e218017f40949589dc98e332d227b19598be9f8b93d5303570126c4fd39873b7098a4d17d377293c6befc960e313a2f6e33b33afa42d47e59c30ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqJ8vRss\7EoQL20.exe
MD5
1a856846f12c83ec2b60e85008092b53

SHA1
13613110f02316be6e9616dc3c8b9d1907c2a594

SHA256
2bda319fd4d0c4c053bc806b10a13575e9f38825c97ce67aa957fcf02cc45138

SHA512
51b2e0c89e218017f40949589dc98e332d227b19598be9f8b93d5303570126c4fd39873b7098a4d17d377293c6befc960e313a2f6e33b33afa42d47e59c30ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GAUV3.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GAUV3.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5NQ7.tmp\sigma_519113452.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5NQ7.tmp\sigma_519113452.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk0wuKZM\9HHytXbBNDOTS5.exe
MD5
444dcd10203988dd18151750cf1545cf

SHA1
7497bb691153df2fbc20666b38ceb01defb266fa

SHA256
01af20708c748e723ab58002df57864baad0287f21ec389a5e0d8b80aae82a84

SHA512
9228da7e3a2573847edbb76790862bbf3a6d381691ca4c4ec12d722e0fa8680a60df785972a836395c6e21c73684886b0f39c69409e071a0e86d39008a10cde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk0wuKZM\9HHytXbBNDOTS5.exe
MD5
444dcd10203988dd18151750cf1545cf

SHA1
7497bb691153df2fbc20666b38ceb01defb266fa

SHA256
01af20708c748e723ab58002df57864baad0287f21ec389a5e0d8b80aae82a84

SHA512
9228da7e3a2573847edbb76790862bbf3a6d381691ca4c4ec12d722e0fa8680a60df785972a836395c6e21c73684886b0f39c69409e071a0e86d39008a10cde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{744D9~1\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{744D9~1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{744d9ad1-5661-074e-856d-72594e507661}\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
\??\c:\PROGRA~2\maskvpn\driver\win764\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\maskvpn\driver\win764\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF1A5.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF763.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF86D.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
\Users\Admin\AppData\Local\Temp\is-2VVOR.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2VVOR.tmp\_isetup\_isdecmp.dll
MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-2VVOR.tmp\_isetup\_isdecmp.dll
MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-8MGGT.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll
MD5
fddee40c512e40f05ed565f1a00e85f1

SHA1
2f0096e7418d19d8df8515f9899e87ca6671b517

SHA256
f7ab1e969edfece0c89bd4d79ce3cc70ff46e460da4d9d90b1ef91f3a0716265

SHA512
6845cb0f841572e7c516b8401eab4aadcdd492613ffb09ccd07ce254d6748ddde4b3b566b3e8fb2ea841c8fd5977d6f1fddaadda81e0f39d8736323e750c8127

Download Submit
memory/228-249-0x0000000000000000-mapping.dmp

Download
memory/376-57-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/440-52-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/828-56-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1008-55-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/1016-54-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1152-62-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1176-139-0x0000000000000000-mapping.dmp

Download
memory/1248-65-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1392-14-0x0000000000000000-mapping.dmp

Download
memory/1396-222-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1520-46-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1564-109-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1568-43-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/1572-170-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/1596-138-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/1636-253-0x0000000000000000-mapping.dmp

Download
memory/1720-254-0x0000000000000000-mapping.dmp

Download
memory/2024-217-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2108-204-0x0000000000000000-mapping.dmp

Download
memory/2108-208-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2108-209-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2108-210-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2132-246-0x0000000000000000-mapping.dmp

Download
memory/2144-60-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/2176-144-0x0000000000000000-mapping.dmp

Download
memory/2184-44-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2188-59-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2192-148-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2200-194-0x0000000000000000-mapping.dmp

Download
memory/2312-31-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2312-33-0x0000000000400000-0x000000000145E000-memory.dmp

Filesize
16.4MB

Download
memory/2312-34-0x0000000001980000-0x0000000001981000-memory.dmp

Filesize
4KB

Download
memory/2312-29-0x0000000000000000-mapping.dmp

Download
memory/2312-32-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2476-41-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/2804-245-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2856-159-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2864-39-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2908-35-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2920-82-0x0000000000000000-mapping.dmp

Download
memory/2920-107-0x00000000093D0000-0x00000000093D1000-memory.dmp

Filesize
4KB

Download
memory/2920-102-0x00000000093E1000-0x00000000093E9000-memory.dmp

Filesize
32KB

Download
memory/2920-90-0x0000000007421000-0x0000000007606000-memory.dmp

Filesize
1.9MB

Download
memory/2920-97-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2920-87-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2920-105-0x0000000009681000-0x000000000968D000-memory.dmp

Filesize
48KB

Download
memory/2984-81-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3004-178-0x0000000000000000-mapping.dmp

Download
memory/3136-47-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3140-129-0x0000000000000000-mapping.dmp

Download
memory/3160-37-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3304-130-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/3464-63-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/3676-205-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/3720-45-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/3864-38-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3932-179-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/3944-73-0x0000000000000000-mapping.dmp

Download
memory/3944-80-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3968-166-0x0000000000000000-mapping.dmp

Download
memory/3972-51-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3976-134-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3976-122-0x000000006E1A0000-0x000000006E88E000-memory.dmp

Filesize
6.9MB

Download
memory/3976-118-0x0000000000000000-mapping.dmp

Download
memory/3976-125-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4056-187-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4080-72-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/4084-172-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4084-171-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4088-151-0x000000006E1A0000-0x000000006E88E000-memory.dmp

Filesize
6.9MB

Download
memory/4088-150-0x000000000041F38E-mapping.dmp

Download
memory/4088-149-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4088-163-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4112-64-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4148-53-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/4296-71-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/4320-42-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4356-26-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4396-252-0x0000000000000000-mapping.dmp

Download
memory/4404-74-0x0000000000000000-mapping.dmp

Download
memory/4404-86-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4404-93-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4404-91-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4404-79-0x000000006E1A0000-0x000000006E88E000-memory.dmp

Filesize
6.9MB

Download
memory/4404-83-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4448-108-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/4456-48-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4480-27-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4480-20-0x0000000000000000-mapping.dmp

Download
memory/4480-24-0x00000000031C1000-0x00000000031C3000-memory.dmp

Filesize
8KB

Download
memory/4516-156-0x0000000000000000-mapping.dmp

Download
memory/4532-190-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/4532-211-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/4532-110-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4532-111-0x000000000041F38E-mapping.dmp

Download
memory/4532-112-0x000000006E1A0000-0x000000006E88E000-memory.dmp

Filesize
6.9MB

Download
memory/4532-212-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/4532-214-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/4532-189-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/4532-237-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/4532-121-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/4532-215-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4532-185-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/4532-186-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/4532-213-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/4532-188-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/4560-157-0x0000000000000000-mapping.dmp

Download
memory/4568-191-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/4592-40-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/4604-117-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/4604-92-0x0000000000000000-mapping.dmp

Download
memory/4604-123-0x0000000002CE0000-0x0000000002D2C000-memory.dmp

Filesize
304KB

Download
memory/4604-124-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4616-248-0x0000000000000000-mapping.dmp

Download
memory/4620-96-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4680-180-0x0000000000000000-mapping.dmp

Download
memory/4708-135-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/4720-250-0x0000000000000000-mapping.dmp

Download
memory/4732-67-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/4752-136-0x0000000000000000-mapping.dmp

Download
memory/4780-58-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/4788-196-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/4788-158-0x0000000000000000-mapping.dmp

Download
memory/4808-68-0x0000000000000000-mapping.dmp

Download
memory/4812-142-0x0000000000000000-mapping.dmp

Download
memory/4824-50-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/4828-66-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4832-247-0x0000000000000000-mapping.dmp

Download
memory/4860-61-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/4892-251-0x0000000000000000-mapping.dmp

Download
memory/4920-49-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/4956-220-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/4956-229-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4956-221-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/4956-216-0x0000000000000000-mapping.dmp

Download
memory/4984-182-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/5020-2-0x0000000000000000-mapping.dmp

Download
memory/5036-116-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5092-242-0x0000000034201000-0x00000000342EA000-memory.dmp

Filesize
932KB

Download
memory/5092-243-0x0000000034361000-0x000000003439F000-memory.dmp

Filesize
248KB

Download
memory/5092-241-0x0000000033AC1000-0x0000000033C40000-memory.dmp

Filesize
1.5MB

Download
memory/5092-240-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/5092-239-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5092-238-0x0000000001940000-0x0000000001941000-memory.dmp

Filesize
4KB

Download