redline | ceea3e1b3829e10af9e68a64866ff4acbaa96f759b997fa68a1be90e6f4f36c1

Resubmissions

12-03-2021 16:40

210312-n86zntexka 10

12-03-2021 16:36

210312-h45jelee7x 10

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
12-03-2021 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fires_258452962.exe
Size

4.5MB
MD5

90ce8dd992c0393eb7621e1c773b8914
SHA1

118efa19dc43b23b76b7d558a3f66d40f0d1b4bc
SHA256

3efbdb687b9cbb20fb1c2b12e567a650584ddadc598a9e580a70fe0feb14a2bb
SHA512

014239b2cb990c8f26e8b038d58782a562a3a2489bf2c68e2d7cb9c84d29460b1c59b0ecf4045abd40e8ea6e864e3e507f1e33a2f5afd802926b0688e25b6c84

Score

10^/10

redline discovery infostealer persistence upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2936-111-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/2936-112-0x000000000041F39E-mapping.dmp	family_redline
behavioral1/memory/2936-114-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/2480-128-0x000000000041F38A-mapping.dmp	family_redline
behavioral1/memory/2480-127-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/2480-130-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\ApiTool.dll	acprotect

Blocklisted process makes network request 6 IoCs

Processes:

MsiExec.exe

flow pid process

52 2324 MsiExec.exe
53 2324 MsiExec.exe
55 2324 MsiExec.exe
58 2324 MsiExec.exe
60 2324 MsiExec.exe
61 2324 MsiExec.exe

flow	pid	process
52	2324	MsiExec.exe
53	2324	MsiExec.exe
55	2324	MsiExec.exe
58	2324	MsiExec.exe
60	2324	MsiExec.exe
61	2324	MsiExec.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File created	C:\Windows\system32\DRIVERS\SET79F.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET79F.tmp	DrvInst.exe

Executes dropped EXE 27 IoCs

Processes:

fires_258452962.tmpEt.exevpn.exevpn.tmpjCiDgIXeJwaAJrKkJj8L.exeG7lKwvX.exetapinstall.exetapinstall.exe1860006078.exemask_svc.exe1310769248.exemask_svc.exemask_svc.exeaipackagechainer.exeWeather_Installation.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeMaskVPNUpdate.exeWeather.exe

pid	process
904	fires_258452962.tmp
1980	Et.exe
272	vpn.exe
1516	vpn.tmp
1344	jCiDgIXeJwaAJrKkJj8L.exe
1844	G7lKwvX.exe
1528	tapinstall.exe
1108	tapinstall.exe
2276	1860006078.exe
2992	mask_svc.exe
3064	1310769248.exe
2756	mask_svc.exe
2152	mask_svc.exe
2332	aipackagechainer.exe
2520	Weather_Installation.exe
1992	Weather.exe
2592	Weather.exe
2460	Weather.exe
1072	Weather.exe
2892	Weather.exe
2864	Weather.exe
2844	Weather.exe
2424	Weather.exe
1824	Weather.exe
760	Weather.exe
1816	MaskVPNUpdate.exe
848	Weather.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\ApiTool.dll	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Weather.exeWeather.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation	Weather.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation	Weather.exe

Loads dropped DLL 64 IoCs

Processes:

fires_258452962.exefires_258452962.tmpEt.exevpn.exevpn.tmpG7lKwvX.execmd.exeMsiExec.execmd.exejCiDgIXeJwaAJrKkJj8L.exeMsiExec.exemask_svc.exeaipackagechainer.exeWeather_Installation.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exe

pid	process
1740	fires_258452962.exe
904	fires_258452962.tmp
904	fires_258452962.tmp
904	fires_258452962.tmp
904	fires_258452962.tmp
904	fires_258452962.tmp
1980	Et.exe
272	vpn.exe
1980	Et.exe
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1980	Et.exe
1844	G7lKwvX.exe
1864	cmd.exe
1864	cmd.exe
1984	MsiExec.exe
1032	cmd.exe
1984	MsiExec.exe
1984	MsiExec.exe
1344	jCiDgIXeJwaAJrKkJj8L.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1344	jCiDgIXeJwaAJrKkJj8L.exe
1344	jCiDgIXeJwaAJrKkJj8L.exe
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
2152	mask_svc.exe
2152	mask_svc.exe
2152	mask_svc.exe
1516	vpn.tmp
1516	vpn.tmp
2332	aipackagechainer.exe
2520	Weather_Installation.exe
2520	Weather_Installation.exe
2520	Weather_Installation.exe
2520	Weather_Installation.exe
2520	Weather_Installation.exe
2520	Weather_Installation.exe
1992	Weather.exe
2520	Weather_Installation.exe
1992	Weather.exe
1992	Weather.exe
2520	Weather_Installation.exe
2592	Weather.exe
2460	Weather.exe
1072	Weather.exe
2892	Weather.exe
1072	Weather.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aipackagechainer.exeWeather_Installation.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Weather_Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --anbfs"	Weather_Installation.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

G7lKwvX.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	G7lKwvX.exe
File opened (read-only)	\??\P:	G7lKwvX.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	G7lKwvX.exe
File opened (read-only)	\??\N:	G7lKwvX.exe
File opened (read-only)	\??\U:	G7lKwvX.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	G7lKwvX.exe
File opened (read-only)	\??\V:	G7lKwvX.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	G7lKwvX.exe
File opened (read-only)	\??\G:	G7lKwvX.exe
File opened (read-only)	\??\J:	G7lKwvX.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	G7lKwvX.exe
File opened (read-only)	\??\L:	G7lKwvX.exe
File opened (read-only)	\??\M:	G7lKwvX.exe
File opened (read-only)	\??\X:	G7lKwvX.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	G7lKwvX.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	G7lKwvX.exe
File opened (read-only)	\??\F:	G7lKwvX.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	G7lKwvX.exe
File opened (read-only)	\??\Z:	G7lKwvX.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	G7lKwvX.exe
File opened (read-only)	\??\Q:	G7lKwvX.exe
File opened (read-only)	\??\R:	G7lKwvX.exe
File opened (read-only)	\??\S:	G7lKwvX.exe
File opened (read-only)	\??\T:	G7lKwvX.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 21 IoCs

Processes:

DrvInst.exeDrvInst.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\SETF22B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\SETF22B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\SETF22C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\SETF22D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\SETF22C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\SETF22D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{099b1a34-d190-21df-c0fa-6864f218ae01}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

2992 mask_svc.exe
2756 mask_svc.exe
2152 mask_svc.exe

pid	process
2992	mask_svc.exe
2756	mask_svc.exe
2152	mask_svc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1860006078.exe1310769248.exe

description	pid	process	target process
PID 2276 set thread context of 2936	2276	1860006078.exe	AddInProcess32.exe
PID 3064 set thread context of 2480	3064	1310769248.exe	AddInProcess32.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpfires_258452962.tmpMaskVPNUpdate.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-P99HG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8AHID.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-J9TP0.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\odit\is-CCLLJ.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-6MJKC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-OVJ74.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\odit\is-HP2TT.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\quo\is-Q4BU0.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CP5N6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-O8D16.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UBAMJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-IVOBO.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\odit\is-S5MIM.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EEFB8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-07TPC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UDFUT.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-P6OJQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-VSUB4.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\odit\is-44O2I.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\odit\is-JV7A5.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-N0UVK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BV0RF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-8USJE.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\illo\is-V8NLO.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\is-H0J83.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-CHPLM.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0P98M.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DC5RM.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-TG5FG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-O791B.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\is-EKNRU.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-QTOHN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-8HDLB.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\unins000.dat	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\is-EC281.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-UCARQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-0FER8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-C054T.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Est\odit\sqlite3.dll	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CUNO6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-FD2P9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-9844A.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-JNFR0.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\Est\is-DVPO6.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\illo\is-118N7.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\illo\is-9HETM.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Est\odit\Et.exe	fires_258452962.tmp

Drops file in Windows directory 30 IoCs

Processes:

tapinstall.exemsiexec.exeDrvInst.exeDrvInst.exeDrvInst.exeaipackagechainer.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSIF710.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f74f26c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIFBA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF6C1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB66.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6BBB.tmp	msiexec.exe
File created	C:\Windows\Installer\f74f26a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74f26a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB96.tmp	msiexec.exe
File created	C:\Windows\Installer\f74f26c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\Tasks\.job	aipackagechainer.exe
File opened for modification	C:\Windows\Installer\MSIFD9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF73F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE1A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF7DC.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1448 timeout.exe
2560 timeout.exe
2604 timeout.exe

pid	process
1448	timeout.exe
2560	timeout.exe
2604	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exemask_svc.exeDrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mask_svc.exe

Modifies registry class 7 IoCs

Processes:

vpn.tmprundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp

Modifies system certificate store 2 TTPs 29 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Et.exeG7lKwvX.exevpn.tmptapinstall.exejCiDgIXeJwaAJrKkJj8L.exeWeather_Installation.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Et.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Et.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Et.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	G7lKwvX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Et.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	jCiDgIXeJwaAJrKkJj8L.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Et.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	G7lKwvX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Weather_Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Weather_Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Et.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	G7lKwvX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	G7lKwvX.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	jCiDgIXeJwaAJrKkJj8L.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	jCiDgIXeJwaAJrKkJj8L.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Et.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jCiDgIXeJwaAJrKkJj8L.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2676 PING.EXE

pid	process
2676	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

fires_258452962.tmpEt.exevpn.tmpmsiexec.exemask_svc.exemask_svc.exemask_svc.exeAddInProcess32.exeAddInProcess32.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeMaskVPNUpdate.exeWeather.exe

pid	process
904	fires_258452962.tmp
904	fires_258452962.tmp
1980	Et.exe
1980	Et.exe
1980	Et.exe
1980	Et.exe
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1452	msiexec.exe
1452	msiexec.exe
2992	mask_svc.exe
2756	mask_svc.exe
2152	mask_svc.exe
2152	mask_svc.exe
2152	mask_svc.exe
2936	AddInProcess32.exe
2480	AddInProcess32.exe
1516	vpn.tmp
1516	vpn.tmp
2892	Weather.exe
1072	Weather.exe
1992	Weather.exe
1992	Weather.exe
2864	Weather.exe
2844	Weather.exe
2424	Weather.exe
1824	Weather.exe
760	Weather.exe
2152	mask_svc.exe
2152	mask_svc.exe
1816	MaskVPNUpdate.exe
1816	MaskVPNUpdate.exe
848	Weather.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zG.exe

pid process

2092 7zG.exe

pid	process
2092	7zG.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vpn.tmpmsiexec.exeG7lKwvX.exe

description	pid	process
Token: SeDebugPrivilege	1516	vpn.tmp
Token: SeDebugPrivilege	1516	vpn.tmp
Token: SeRestorePrivilege	1452	msiexec.exe
Token: SeTakeOwnershipPrivilege	1452	msiexec.exe
Token: SeSecurityPrivilege	1452	msiexec.exe
Token: SeCreateTokenPrivilege	1844	G7lKwvX.exe
Token: SeAssignPrimaryTokenPrivilege	1844	G7lKwvX.exe
Token: SeLockMemoryPrivilege	1844	G7lKwvX.exe
Token: SeIncreaseQuotaPrivilege	1844	G7lKwvX.exe
Token: SeMachineAccountPrivilege	1844	G7lKwvX.exe
Token: SeTcbPrivilege	1844	G7lKwvX.exe
Token: SeSecurityPrivilege	1844	G7lKwvX.exe
Token: SeTakeOwnershipPrivilege	1844	G7lKwvX.exe
Token: SeLoadDriverPrivilege	1844	G7lKwvX.exe
Token: SeSystemProfilePrivilege	1844	G7lKwvX.exe
Token: SeSystemtimePrivilege	1844	G7lKwvX.exe
Token: SeProfSingleProcessPrivilege	1844	G7lKwvX.exe
Token: SeIncBasePriorityPrivilege	1844	G7lKwvX.exe
Token: SeCreatePagefilePrivilege	1844	G7lKwvX.exe
Token: SeCreatePermanentPrivilege	1844	G7lKwvX.exe
Token: SeBackupPrivilege	1844	G7lKwvX.exe
Token: SeRestorePrivilege	1844	G7lKwvX.exe
Token: SeShutdownPrivilege	1844	G7lKwvX.exe
Token: SeDebugPrivilege	1844	G7lKwvX.exe
Token: SeAuditPrivilege	1844	G7lKwvX.exe
Token: SeSystemEnvironmentPrivilege	1844	G7lKwvX.exe
Token: SeChangeNotifyPrivilege	1844	G7lKwvX.exe
Token: SeRemoteShutdownPrivilege	1844	G7lKwvX.exe
Token: SeUndockPrivilege	1844	G7lKwvX.exe
Token: SeSyncAgentPrivilege	1844	G7lKwvX.exe
Token: SeEnableDelegationPrivilege	1844	G7lKwvX.exe
Token: SeManageVolumePrivilege	1844	G7lKwvX.exe
Token: SeImpersonatePrivilege	1844	G7lKwvX.exe
Token: SeCreateGlobalPrivilege	1844	G7lKwvX.exe
Token: SeCreateTokenPrivilege	1844	G7lKwvX.exe
Token: SeAssignPrimaryTokenPrivilege	1844	G7lKwvX.exe
Token: SeLockMemoryPrivilege	1844	G7lKwvX.exe
Token: SeIncreaseQuotaPrivilege	1844	G7lKwvX.exe
Token: SeMachineAccountPrivilege	1844	G7lKwvX.exe
Token: SeTcbPrivilege	1844	G7lKwvX.exe
Token: SeSecurityPrivilege	1844	G7lKwvX.exe
Token: SeTakeOwnershipPrivilege	1844	G7lKwvX.exe
Token: SeLoadDriverPrivilege	1844	G7lKwvX.exe
Token: SeSystemProfilePrivilege	1844	G7lKwvX.exe
Token: SeSystemtimePrivilege	1844	G7lKwvX.exe
Token: SeProfSingleProcessPrivilege	1844	G7lKwvX.exe
Token: SeIncBasePriorityPrivilege	1844	G7lKwvX.exe
Token: SeCreatePagefilePrivilege	1844	G7lKwvX.exe
Token: SeCreatePermanentPrivilege	1844	G7lKwvX.exe
Token: SeBackupPrivilege	1844	G7lKwvX.exe
Token: SeRestorePrivilege	1844	G7lKwvX.exe
Token: SeShutdownPrivilege	1844	G7lKwvX.exe
Token: SeDebugPrivilege	1844	G7lKwvX.exe
Token: SeAuditPrivilege	1844	G7lKwvX.exe
Token: SeSystemEnvironmentPrivilege	1844	G7lKwvX.exe
Token: SeChangeNotifyPrivilege	1844	G7lKwvX.exe
Token: SeRemoteShutdownPrivilege	1844	G7lKwvX.exe
Token: SeUndockPrivilege	1844	G7lKwvX.exe
Token: SeSyncAgentPrivilege	1844	G7lKwvX.exe
Token: SeEnableDelegationPrivilege	1844	G7lKwvX.exe
Token: SeManageVolumePrivilege	1844	G7lKwvX.exe
Token: SeImpersonatePrivilege	1844	G7lKwvX.exe
Token: SeCreateGlobalPrivilege	1844	G7lKwvX.exe
Token: SeCreateTokenPrivilege	1844	G7lKwvX.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

fires_258452962.tmpvpn.tmpG7lKwvX.exe

pid	process
904	fires_258452962.tmp
1516	vpn.tmp
1844	G7lKwvX.exe
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MaskVPNUpdate.exe

pid process

1816 MaskVPNUpdate.exe

pid	process
1816	MaskVPNUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fires_258452962.exefires_258452962.tmpEt.exevpn.exevpn.tmpmsiexec.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 1740 wrote to memory of 904	1740	fires_258452962.exe	fires_258452962.tmp
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 904 wrote to memory of 1980	904	fires_258452962.tmp	Et.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 1980 wrote to memory of 272	1980	Et.exe	vpn.exe
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 272 wrote to memory of 1516	272	vpn.exe	vpn.tmp
PID 1980 wrote to memory of 1344	1980	Et.exe	jCiDgIXeJwaAJrKkJj8L.exe
PID 1980 wrote to memory of 1344	1980	Et.exe	jCiDgIXeJwaAJrKkJj8L.exe
PID 1980 wrote to memory of 1344	1980	Et.exe	jCiDgIXeJwaAJrKkJj8L.exe
PID 1980 wrote to memory of 1344	1980	Et.exe	jCiDgIXeJwaAJrKkJj8L.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1980 wrote to memory of 1844	1980	Et.exe	G7lKwvX.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1864	1516	vpn.tmp	cmd.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1452 wrote to memory of 1984	1452	msiexec.exe	MsiExec.exe
PID 1864 wrote to memory of 1528	1864	cmd.exe	tapinstall.exe
PID 1864 wrote to memory of 1528	1864	cmd.exe	tapinstall.exe
PID 1864 wrote to memory of 1528	1864	cmd.exe	tapinstall.exe
PID 1864 wrote to memory of 1528	1864	cmd.exe	tapinstall.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 1032	1516	vpn.tmp	cmd.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1120 attrib.exe
2480 attrib.exe
2104 attrib.exe
852 attrib.exe

pid	process
1120	attrib.exe
2480	attrib.exe
2104	attrib.exe
852	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fires_258452962.exe
"C:\Users\Admin\AppData\Local\Temp\fires_258452962.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\is-6EDNA.tmp\fires_258452962.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6EDNA.tmp\fires_258452962.tmp" /SL5="$30104,4313631,119296,C:\Users\Admin\AppData\Local\Temp\fires_258452962.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:904

C:\Program Files (x86)\Est\odit\Et.exe
"C:\Program Files (x86)\Est/\odit\Et.exe" 31a9b403cadb2d356a3db6e4467af31a
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\aPRK1Qj1\vpn.exe
C:\Users\Admin\AppData\Local\Temp\aPRK1Qj1\vpn.exe /silent /subid=510x31a9b403cadb2d356a3db6e4467af31a
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Local\Temp\is-LULED.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LULED.tmp\vpn.tmp" /SL5="$10252,15170975,270336,C:\Users\Admin\AppData\Local\Temp\aPRK1Qj1\vpn.exe" /silent /subid=510x31a9b403cadb2d356a3db6e4467af31a
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
7⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
6⤵
- Loads dropped DLL
PID:1032

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
PID:1108

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\jCiDgIXeJwaAJrKkJj8L.exe
C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\jCiDgIXeJwaAJrKkJj8L.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1344

C:\Users\Admin\AppData\Local\Temp\1860006078.exe
C:\Users\Admin\AppData\Local\Temp\1860006078.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Users\Admin\AppData\Local\Temp\1310769248.exe
C:\Users\Admin\AppData\Local\Temp\1310769248.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\jCiDgIXeJwaAJrKkJj8L.exe & exit
5⤵
PID:2660

C:\Windows\SysWOW64\PING.EXE
ping 0
6⤵
- Runs ping.exe
PID:2676

C:\Users\Admin\AppData\Local\Temp\TlwWJwwZ\G7lKwvX.exe
C:\Users\Admin\AppData\Local\Temp\TlwWJwwZ\G7lKwvX.exe /quiet SILENT=1 AF=721__31a9b403cadb2d356a3db6e4467af31a
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1844

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=721__31a9b403cadb2d356a3db6e4467af31a AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\TlwWJwwZ\G7lKwvX.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\TlwWJwwZ\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1615308191 /quiet SILENT=1 AF=721__31a9b403cadb2d356a3db6e4467af31a " AF="721__31a9b403cadb2d356a3db6e4467af31a" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
5⤵
PID:2084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DB68186DFA35E4E12475320B18C24E1 C
2⤵
- Loads dropped DLL
PID:1984

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C11581C0E98EC099A4B22EA151DCABD0
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2324

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:2332

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=721__31a9b403cadb2d356a3db6e4467af31a -BF=default -uncf=default
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:2520

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x7fef5889ec0,0x7fef5889ed0,0x7fef5889ee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x108,0x10c,0x110,0xdc,0x114,0x13f364e60,0x13f364e70,0x13f364e80
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1096 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --mojo-platform-channel-handle=1336 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --mojo-platform-channel-handle=1584 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1816 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1352 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1156 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --mojo-platform-channel-handle=1952 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,16434196980449646997,13959676897618945978,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_136070697" --mojo-platform-channel-handle=1984 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXEACD3.bat" "
3⤵
PID:2672

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:852

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEACD3.bat" "
4⤵
PID:1292

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEACD3.bat"
4⤵
- Views/modifies file attributes
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXEAD02.bat" "
3⤵
PID:844

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:1120

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2560

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2604

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEAD02.bat"
4⤵
- Views/modifies file attributes
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEAD02.bat" "
4⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:1556

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\FireSkull Hack.rar.rar
1⤵
- Modifies registry class
PID:608

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5ba2fa9e-55dc-6d49-4ff1-e606a28a6e22}\oemvista.inf" "9" "6d14a44ff" "00000000000005A8" "WinSta0\Default" "00000000000005AC" "208" "c:\program files (x86)\maskvpn\driver\win764"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2188

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005EC" "00000000000005E8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2612

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "00000000000005C0" "00000000000005EC" "00000000000005E8"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\FireSkull Hack.rar\" -ad -an -ai#7zMap7554:98:7zEvent15856
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2092

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap10920:98:7zEvent7178
1⤵
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Est\odit\Et.exe
MD5
7249e0f3529560fc42e651f28ab106fd

SHA1
27a616b4ded4b54139cfd51eab9ebeadf1e66b6f

SHA256
05c08274684001e2822b82293939350a2ba44b0f18a2772bb5364bfc0e13a2b3

SHA512
154921a42c24c81d28702537f1209ff9d8b96706ed0502705e6113ab8d90de5ee4c2847186520dec1a8d714e945af6d0da480c11765f34e1351c39a6401ba7df

Download Submit
C:\Program Files (x86)\Est\odit\Et.exe
MD5
7249e0f3529560fc42e651f28ab106fd

SHA1
27a616b4ded4b54139cfd51eab9ebeadf1e66b6f

SHA256
05c08274684001e2822b82293939350a2ba44b0f18a2772bb5364bfc0e13a2b3

SHA512
154921a42c24c81d28702537f1209ff9d8b96706ed0502705e6113ab8d90de5ee4c2847186520dec1a8d714e945af6d0da480c11765f34e1351c39a6401ba7df

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\install.bat
MD5
3a05ce392d84463b43858e26c48f9cbf

SHA1
78f624e2c81c3d745a45477d61749b8452c129f1

SHA256
5b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b

SHA512
8a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
0f5cd725d7cbb3f09f80bd32441fe113

SHA1
014b88b5cf3929acd31eee5863a2d705aa8720c7

SHA256
4501e17c428e51902a669585415f646eaa933f5386f598629dd05117ef70fb51

SHA512
06bd105d3e2ad3951287e91de3d77cdfb8e27eb00288fae961b0f47bfb0ee9ad81a1a846d92f4d216c9d69a1d155de5b2e87444a2ac62d04bcdc887085beed8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
MD5
562512f6351fe76fb093932872a51d5e

SHA1
f05042143fe221bed38fcdbdf50d9ef2f9ce3c14

SHA256
a80f0b79a13a940a301f42525daab2673500a40066a4d3ca0126e0926b075197

SHA512
5bae5b862fb7e48c0a15c71857d2f2d40a1791e2b14595bf6d99f29374f96e6ac1daa6eb58e289bf518e3a234a3683cdce19655fb594394069823efa8f546a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
cfeef8ec4f80b50ddb80d4fe9540aa76

SHA1
cbdf0cefa6c6841dd3bdd6d5af28b642c7ffdcf5

SHA256
414f3a831fffd27f768e023eaa404aea67833f042bf95840084d94822e968562

SHA512
02bc825facbc519eb6bf444230551e92283af34ea0ba6d0bea89a8edab7fde5e3d696533965fd4700c1e3ac1aee6304148d2613e154702e073d35b5035716c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
d761f29579f1d2cdb08912bf78015706

SHA1
03d31b821e092730362a112c6ed40d6d69bde8a1

SHA256
514ba09be40a3aa19d580dfd65ce69135ee7fdea4b6553ac8e0c66cdb106e7a8

SHA512
3f01cac9986664fa2cfda776d73d9c2538e26afe79c1e4918c31f88d54f30ba06a80189f98ce9951ff38ac3c7670de2e64affb27887968c542278879058a8f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
MD5
d3475baa3886fe6d9b0267712f5e9399

SHA1
bbec13db3a0922e318e6cadabed997c2aecb1b1c

SHA256
df460abecda4d327af9dcdb1f5e8d4e995746eb2e249d2183b6fb42db7293a56

SHA512
cbbdbf8a0e7122bed1682aaa3cce50fdd4cd8a7ff80e7918573e18470fc05d75de13739b2c672e2dd5dbcd3eb7504447de96d0988f79b478acd19b6f442dcab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2ee4277818b332121f1469852694a41e

SHA1
52b94709d2c8b8fba3d38ba80a019783fd7a361e

SHA256
c3597a5c97039cbbe6078f8d2bf8fc8cf5149668ffc8bb4beb6966f3e7400816

SHA512
5bfcd5e64465916627e23781953a4f1234d53e08ed5e402e43cab81429b7497ae03271292dbb965a30638a4d946fc2f8f2bf3b30280dd646c305781aeb79d2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e9d0593bfd142b5ec99f0a695fb86c41

SHA1
11cdfe368d798a89e38d3b046f7d88208085de45

SHA256
c23e1611ce9976e8960a87d0ea47ef8e3d7f713dcdce4f3307df4b2490bc6ebf

SHA512
900e529c29ec260eeac176360667ad0e7a6e52526806189516c5d15617314cf6e17d221bf99b4bcb2705405b9c5b057541472a93dcd8595418a14551f5629b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
7f3255307ee8bcf7462efafd995ec697

SHA1
cc7c6979acefd17a3dbba5049638d5ce90f4ce66

SHA256
40eb04778c1f5bd0ede8e87bce12f16be16eb10c717866436e749f8b0d2e076a

SHA512
6df0524f627c0531ca0d04b44352d3070ba74ca916b60beb70dad806f4a2b991dda2b8408ddf4661166e0acdba6e82900056053101b0a37ba15306a4fdf9f7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1860006078.exe
MD5
8f42d6ac2ff0bd507f77fc6f2077ecae

SHA1
3f6eb11f4dc112aed5aac9fe3feb78f77e068c93

SHA256
cb1c124f7c5ee7ff7e260a15a4c8dcbce9dc4d3c3f4a1bbc54fda408970d045f

SHA512
2de3ab74384d24ccc5ae083dda82956d722f87e5d0b06ee183a42b92c8a881758940b773e2aa19ecb0a0b22c0b5522e60700604011f12cb2e72c06722864daa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1860006078.exe
MD5
8f42d6ac2ff0bd507f77fc6f2077ecae

SHA1
3f6eb11f4dc112aed5aac9fe3feb78f77e068c93

SHA256
cb1c124f7c5ee7ff7e260a15a4c8dcbce9dc4d3c3f4a1bbc54fda408970d045f

SHA512
2de3ab74384d24ccc5ae083dda82956d722f87e5d0b06ee183a42b92c8a881758940b773e2aa19ecb0a0b22c0b5522e60700604011f12cb2e72c06722864daa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED51.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEF36.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF021.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TlwWJwwZ\G7lKwvX.exe
MD5
208eb0912e5b6bcd0fa6f4f3d3b6f4f9

SHA1
d9f80e863a0435a991f601da93fcec3d4a813405

SHA256
e7d29e072c40ce7fbe34fbf7d32d38166c56299954d33c39acfbcafb1f18e93a

SHA512
d1cafd13483724fae43b81e9889a44462f51b6b16c23a30750264c8d5c435665ddacf0b10df2659fb4a7ed79efa2e89480ee1102a3d798492ba5da9d3d36e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\TlwWJwwZ\G7lKwvX.exe
MD5
208eb0912e5b6bcd0fa6f4f3d3b6f4f9

SHA1
d9f80e863a0435a991f601da93fcec3d4a813405

SHA256
e7d29e072c40ce7fbe34fbf7d32d38166c56299954d33c39acfbcafb1f18e93a

SHA512
d1cafd13483724fae43b81e9889a44462f51b6b16c23a30750264c8d5c435665ddacf0b10df2659fb4a7ed79efa2e89480ee1102a3d798492ba5da9d3d36e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPRK1Qj1\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPRK1Qj1\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\jCiDgIXeJwaAJrKkJj8L.exe
MD5
8c03063314b0aa3d6a7d26c1f6db60b4

SHA1
6955952347314e7e19895778af232b14a15c736d

SHA256
8378458c45be220207b12b7dbeeee4fcd9a4c4f51973d828834b418ded6e781f

SHA512
d55407a63928afa38612e58fef7253452cc799f8659c4a78e93ba94b2d07feb7a2e47e1294b79879b440fe5bc8ad0d8c7563a6d4e1a0e2d31aa9424c009f9839

Download Submit
C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\jCiDgIXeJwaAJrKkJj8L.exe
MD5
8c03063314b0aa3d6a7d26c1f6db60b4

SHA1
6955952347314e7e19895778af232b14a15c736d

SHA256
8378458c45be220207b12b7dbeeee4fcd9a4c4f51973d828834b418ded6e781f

SHA512
d55407a63928afa38612e58fef7253452cc799f8659c4a78e93ba94b2d07feb7a2e47e1294b79879b440fe5bc8ad0d8c7563a6d4e1a0e2d31aa9424c009f9839

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6EDNA.tmp\fires_258452962.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6EDNA.tmp\fires_258452962.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LULED.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LULED.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5BA2F~1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5ba2fa9e-55dc-6d49-4ff1-e606a28a6e22}\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5ba2fa9e-55dc-6d49-4ff1-e606a28a6e22}\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi
MD5
3af865e33a6e36a5032bbc1e90d3bd6c

SHA1
e55a9015ebca7e35025ebdc45bcc66cb2a2d7517

SHA256
aa331b692e66a8c0b7dc1f79ed02a550b583d47b19d749b4dbf942aecf75e5ae

SHA512
bd9cb033b4ff767a2e8a93d089be57349a8240d3c42f716c46f6a78607636d198d65b4b58c308046806be0e42177f34324508ed12faaa71465f782617b5e7cc3

Download Submit
C:\Windows\Installer\MSIF4DC.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\??\c:\PROGRA~2\maskvpn\driver\win764\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\maskvpn\driver\win764\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Program Files (x86)\Est\odit\Et.exe
MD5
7249e0f3529560fc42e651f28ab106fd

SHA1
27a616b4ded4b54139cfd51eab9ebeadf1e66b6f

SHA256
05c08274684001e2822b82293939350a2ba44b0f18a2772bb5364bfc0e13a2b3

SHA512
154921a42c24c81d28702537f1209ff9d8b96706ed0502705e6113ab8d90de5ee4c2847186520dec1a8d714e945af6d0da480c11765f34e1351c39a6401ba7df

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Users\Admin\AppData\Local\Temp\1860006078.exe
MD5
8f42d6ac2ff0bd507f77fc6f2077ecae

SHA1
3f6eb11f4dc112aed5aac9fe3feb78f77e068c93

SHA256
cb1c124f7c5ee7ff7e260a15a4c8dcbce9dc4d3c3f4a1bbc54fda408970d045f

SHA512
2de3ab74384d24ccc5ae083dda82956d722f87e5d0b06ee183a42b92c8a881758940b773e2aa19ecb0a0b22c0b5522e60700604011f12cb2e72c06722864daa7

Download Submit
\Users\Admin\AppData\Local\Temp\MSIED51.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEF36.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF021.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
\Users\Admin\AppData\Local\Temp\TlwWJwwZ\G7lKwvX.exe
MD5
208eb0912e5b6bcd0fa6f4f3d3b6f4f9

SHA1
d9f80e863a0435a991f601da93fcec3d4a813405

SHA256
e7d29e072c40ce7fbe34fbf7d32d38166c56299954d33c39acfbcafb1f18e93a

SHA512
d1cafd13483724fae43b81e9889a44462f51b6b16c23a30750264c8d5c435665ddacf0b10df2659fb4a7ed79efa2e89480ee1102a3d798492ba5da9d3d36e796

Download Submit
\Users\Admin\AppData\Local\Temp\aPRK1Qj1\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
\Users\Admin\AppData\Local\Temp\aW3SFbVV\jCiDgIXeJwaAJrKkJj8L.exe
MD5
8c03063314b0aa3d6a7d26c1f6db60b4

SHA1
6955952347314e7e19895778af232b14a15c736d

SHA256
8378458c45be220207b12b7dbeeee4fcd9a4c4f51973d828834b418ded6e781f

SHA512
d55407a63928afa38612e58fef7253452cc799f8659c4a78e93ba94b2d07feb7a2e47e1294b79879b440fe5bc8ad0d8c7563a6d4e1a0e2d31aa9424c009f9839

Download Submit
\Users\Admin\AppData\Local\Temp\is-6EDNA.tmp\fires_258452962.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-E9CGV.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-IKT60.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-IKT60.tmp\_isetup\_isdecmp.dll
MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-IKT60.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IKT60.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LULED.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll
MD5
fddee40c512e40f05ed565f1a00e85f1

SHA1
2f0096e7418d19d8df8515f9899e87ca6671b517

SHA256
f7ab1e969edfece0c89bd4d79ce3cc70ff46e460da4d9d90b1ef91f3a0716265

SHA512
6845cb0f841572e7c516b8401eab4aadcdd492613ffb09ccd07ce254d6748ddde4b3b566b3e8fb2ea841c8fd5977d6f1fddaadda81e0f39d8736323e750c8127

Download Submit
\Windows\Installer\MSIF4DC.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
memory/272-25-0x0000000000000000-mapping.dmp

Download
memory/272-40-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/760-647-0x00000000030E0000-0x00000000030F1000-memory.dmp

Filesize
68KB

Download
memory/760-646-0x0000000000000000-mapping.dmp

Download
memory/844-617-0x0000000000000000-mapping.dmp

Download
memory/848-1430-0x0000000000000000-mapping.dmp

Download
memory/848-1431-0x0000000002FE0000-0x0000000002FF1000-memory.dmp

Filesize
68KB

Download
memory/848-1432-0x0000000002FE0000-0x0000000002FF1000-memory.dmp

Filesize
68KB

Download
memory/852-619-0x0000000000000000-mapping.dmp

Download
memory/904-4-0x0000000000000000-mapping.dmp

Download
memory/904-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/904-11-0x0000000074AF1000-0x0000000074AF3000-memory.dmp

Filesize
8KB

Download
memory/1032-73-0x0000000000000000-mapping.dmp

Download
memory/1072-629-0x00000000030B0000-0x00000000030C1000-memory.dmp

Filesize
68KB

Download
memory/1072-626-0x0000000000000000-mapping.dmp

Download
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1120-618-0x0000000000000000-mapping.dmp

Download
memory/1292-635-0x0000000000000000-mapping.dmp

Download
memory/1344-33-0x0000000000000000-mapping.dmp

Download
memory/1448-620-0x0000000000000000-mapping.dmp

Download
memory/1452-61-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1516-41-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1516-46-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1516-31-0x0000000000000000-mapping.dmp

Download
memory/1516-56-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1528-69-0x0000000000000000-mapping.dmp

Download
memory/1556-645-0x0000000000000000-mapping.dmp

Download
memory/1740-13-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1740-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1816-1157-0x0000000004590000-0x00000000045A1000-memory.dmp

Filesize
68KB

Download
memory/1816-655-0x0000000004590000-0x00000000045A1000-memory.dmp

Filesize
68KB

Download
memory/1816-651-0x0000000000000000-mapping.dmp

Download
memory/1816-653-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1816-656-0x0000000004180000-0x0000000004191000-memory.dmp

Filesize
68KB

Download
memory/1816-654-0x0000000004180000-0x0000000004191000-memory.dmp

Filesize
68KB

Download
memory/1816-1156-0x0000000004180000-0x0000000004191000-memory.dmp

Filesize
68KB

Download
memory/1816-1338-0x0000000004180000-0x0000000004191000-memory.dmp

Filesize
68KB

Download
memory/1816-1158-0x0000000004180000-0x0000000004191000-memory.dmp

Filesize
68KB

Download
memory/1824-641-0x0000000000000000-mapping.dmp

Download
memory/1824-642-0x0000000003C90000-0x0000000003CA1000-memory.dmp

Filesize
68KB

Download
memory/1844-49-0x0000000000000000-mapping.dmp

Download
memory/1844-57-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1844-58-0x0000000003AF0000-0x0000000003AF4000-memory.dmp

Filesize
16KB

Download
memory/1864-63-0x0000000000000000-mapping.dmp

Download
memory/1964-42-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/1980-20-0x00000000051A0000-0x00000000051B1000-memory.dmp

Filesize
68KB

Download
memory/1980-23-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1980-21-0x00000000055B0000-0x00000000055C1000-memory.dmp

Filesize
68KB

Download
memory/1980-16-0x0000000000000000-mapping.dmp

Download
memory/1980-22-0x0000000000400000-0x0000000001644000-memory.dmp

Filesize
18.3MB

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download
memory/1992-640-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/1992-615-0x0000000000000000-mapping.dmp

Download
memory/2084-86-0x0000000000000000-mapping.dmp

Download
memory/2084-612-0x0000000002360000-0x0000000002364000-memory.dmp

Filesize
16KB

Download
memory/2104-643-0x0000000000000000-mapping.dmp

Download
memory/2152-143-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2152-144-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2152-150-0x00000000346C0000-0x00000000346D1000-memory.dmp

Filesize
68KB

Download
memory/2152-149-0x0000000034AD0000-0x0000000034AE1000-memory.dmp

Filesize
68KB

Download
memory/2152-148-0x00000000346C0000-0x00000000346D1000-memory.dmp

Filesize
68KB

Download
memory/2152-158-0x00000000346C0000-0x00000000346D1000-memory.dmp

Filesize
68KB

Download
memory/2152-159-0x00000000346C0000-0x00000000346D1000-memory.dmp

Filesize
68KB

Download
memory/2152-315-0x00000000346C0000-0x00000000346D1000-memory.dmp

Filesize
68KB

Download
memory/2152-316-0x0000000034CD0000-0x0000000034CE1000-memory.dmp

Filesize
68KB

Download
memory/2152-317-0x00000000346C0000-0x00000000346D1000-memory.dmp

Filesize
68KB

Download
memory/2152-649-0x0000000034CD0000-0x0000000034CE1000-memory.dmp

Filesize
68KB

Download
memory/2152-146-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2152-648-0x0000000034CD0000-0x0000000034CE1000-memory.dmp

Filesize
68KB

Download
memory/2172-636-0x0000000000000000-mapping.dmp

Download
memory/2276-103-0x00000000719F0000-0x00000000720DE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-100-0x0000000000000000-mapping.dmp

Download
memory/2276-110-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2276-108-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2324-104-0x0000000000000000-mapping.dmp

Download
memory/2332-610-0x0000000000000000-mapping.dmp

Download
memory/2424-638-0x0000000000000000-mapping.dmp

Download
memory/2424-639-0x0000000003CB0000-0x0000000003CC1000-memory.dmp

Filesize
68KB

Download
memory/2460-624-0x0000000000000000-mapping.dmp

Download
memory/2480-127-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2480-128-0x000000000041F38A-mapping.dmp

Download
memory/2480-129-0x00000000719F0000-0x00000000720DE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-130-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2480-147-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2480-634-0x0000000000000000-mapping.dmp

Download
memory/2520-613-0x0000000000000000-mapping.dmp

Download
memory/2560-621-0x0000000000000000-mapping.dmp

Download
memory/2592-623-0x0000000000000000-mapping.dmp

Download
memory/2604-633-0x0000000000000000-mapping.dmp

Download
memory/2660-132-0x0000000000000000-mapping.dmp

Download
memory/2672-616-0x0000000000000000-mapping.dmp

Download
memory/2676-133-0x0000000000000000-mapping.dmp

Download
memory/2756-136-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2756-134-0x0000000000000000-mapping.dmp

Download
memory/2844-631-0x0000000000000000-mapping.dmp

Download
memory/2844-632-0x0000000002F00000-0x0000000002F11000-memory.dmp

Filesize
68KB

Download
memory/2864-627-0x0000000000000000-mapping.dmp

Download
memory/2864-630-0x0000000002EA0000-0x0000000002EB1000-memory.dmp

Filesize
68KB

Download
memory/2892-628-0x0000000003AF0000-0x0000000003B01000-memory.dmp

Filesize
68KB

Download
memory/2892-625-0x0000000000000000-mapping.dmp

Download
memory/2936-140-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2936-111-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-112-0x000000000041F39E-mapping.dmp

Download
memory/2936-113-0x00000000719F0000-0x00000000720DE000-memory.dmp

Filesize
6.9MB

Download
memory/2936-114-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2992-115-0x0000000000000000-mapping.dmp

Download
memory/2992-126-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2992-125-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2992-124-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/3020-644-0x0000000000000000-mapping.dmp

Download
memory/3064-117-0x0000000000000000-mapping.dmp

Download
memory/3064-118-0x00000000719F0000-0x00000000720DE000-memory.dmp

Filesize
6.9MB

Download
memory/3064-119-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3064-123-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download