redline | ceea3e1b3829e10af9e68a64866ff4acbaa96f759b997fa68a1be90e6f4f36c1

Resubmissions

12-03-2021 16:40

210312-n86zntexka 10

12-03-2021 16:36

210312-h45jelee7x 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
12-03-2021 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fires_258452962.exe
Size

4.5MB
MD5

90ce8dd992c0393eb7621e1c773b8914
SHA1

118efa19dc43b23b76b7d558a3f66d40f0d1b4bc
SHA256

3efbdb687b9cbb20fb1c2b12e567a650584ddadc598a9e580a70fe0feb14a2bb
SHA512

014239b2cb990c8f26e8b038d58782a562a3a2489bf2c68e2d7cb9c84d29460b1c59b0ecf4045abd40e8ea6e864e3e507f1e33a2f5afd802926b0688e25b6c84

Score

10^/10

redline discovery infostealer persistence upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2676-93-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/2676-94-0x000000000041F39E-mapping.dmp	family_redline
behavioral2/memory/4392-133-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/4392-134-0x000000000041F38A-mapping.dmp	family_redline

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\ApiTool.dll	acprotect
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\ApiTool.dll	acprotect

Blocklisted process makes network request 10 IoCs

Processes:

MsiExec.exe

flow	pid	process
68	4920	MsiExec.exe
70	4920	MsiExec.exe
74	4920	MsiExec.exe
76	4920	MsiExec.exe
77	4920	MsiExec.exe
76	4920	MsiExec.exe
68	4920	MsiExec.exe
74	4920	MsiExec.exe
70	4920	MsiExec.exe
77	4920	MsiExec.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File created	C:\Windows\System32\drivers\SET43C0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET43C0.tmp	DrvInst.exe

Executes dropped EXE 24 IoCs

Processes:

fires_258452962.tmpEt.exeqZ0RXW.exevpn.exevpn.tmp925406572.exeu9KDbtfva5XjKPsI.exetapinstall.exe1275649726.exetapinstall.exemask_svc.exemask_svc.exemask_svc.exeaipackagechainer.exeWeather_Installation.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeMaskVPNUpdate.exeWeather.exeWeather.exe

pid	process
1680	fires_258452962.tmp
3376	Et.exe
2268	qZ0RXW.exe
576	vpn.exe
1516	vpn.tmp
1760	925406572.exe
3824	u9KDbtfva5XjKPsI.exe
2784	tapinstall.exe
1896	1275649726.exe
4284	tapinstall.exe
5104	mask_svc.exe
4400	mask_svc.exe
3980	mask_svc.exe
3384	aipackagechainer.exe
4280	Weather_Installation.exe
4180	Weather.exe
4940	Weather.exe
4700	Weather.exe
3416	Weather.exe
3880	Weather.exe
4416	Weather.exe
4340	MaskVPNUpdate.exe
4312	Weather.exe
4380	Weather.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\ApiTool.dll	upx
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\ApiTool.dll	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Weather.exeWeather.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Weather.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Weather.exe

Loads dropped DLL 64 IoCs

Processes:

fires_258452962.tmpvpn.tmpu9KDbtfva5XjKPsI.exeMsiExec.exeMsiExec.exemask_svc.exeWeather_Installation.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exe

pid	process
1680	fires_258452962.tmp
1680	fires_258452962.tmp
1680	fires_258452962.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
3824	u9KDbtfva5XjKPsI.exe
3932	MsiExec.exe
3932	MsiExec.exe
3932	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
4920	MsiExec.exe
3980	mask_svc.exe
3980	mask_svc.exe
3980	mask_svc.exe
3980	mask_svc.exe
3980	mask_svc.exe
3980	mask_svc.exe
1516	vpn.tmp
1516	vpn.tmp
4280	Weather_Installation.exe
4280	Weather_Installation.exe
4280	Weather_Installation.exe
4280	Weather_Installation.exe
4280	Weather_Installation.exe
4280	Weather_Installation.exe
4180	Weather.exe
4280	Weather_Installation.exe
4180	Weather.exe
4180	Weather.exe
4940	Weather.exe
4700	Weather.exe
4700	Weather.exe
4700	Weather.exe
3416	Weather.exe
3880	Weather.exe
3880	Weather.exe
3880	Weather.exe
3416	Weather.exe
3416	Weather.exe
4416	Weather.exe
4416	Weather.exe
4416	Weather.exe
4416	Weather.exe
4700	Weather.exe
4700	Weather.exe
4312	Weather.exe
4312	Weather.exe
4312	Weather.exe
4312	Weather.exe
4312	Weather.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aipackagechainer.exeWeather_Installation.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Weather_Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --anbfs"	Weather_Installation.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u9KDbtfva5XjKPsI.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\M:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\O:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\Z:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\P:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\R:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\Y:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\W:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\E:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\V:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\S:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\X:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\J:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\N:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\Q:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\U:	u9KDbtfva5XjKPsI.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	u9KDbtfva5XjKPsI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 17 IoCs

Processes:

DrvInst.exetapinstall.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\SET40A6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\SET40A6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\SET4094.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\SET40A5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\SET4094.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}\SET40A5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5f10a6ac-176f-7941-96ea-69095a4fc328}	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

5104 mask_svc.exe
4400 mask_svc.exe
3980 mask_svc.exe

pid	process
5104	mask_svc.exe
4400	mask_svc.exe
3980	mask_svc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

925406572.exe1275649726.exe

description	pid	process	target process
PID 1760 set thread context of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1896 set thread context of 4392	1896	1275649726.exe	AddInProcess32.exe

Drops file in Program Files directory 64 IoCs

Processes:

fires_258452962.tmpvpn.tmp

description	ioc	process
File created	C:\Program Files (x86)\Est\illo\is-58UTH.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UAHOF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-SNK4C.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4K596.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-74JNF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-424SC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TD2CG.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\illo\is-F74LS.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\quo\is-P70HM.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\is-K2KGO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-DC2KP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4BIH3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-R5SK4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File created	C:\Program Files (x86)\Est\is-D623S.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\odit\is-QGMRU.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VQNK4.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\eos\is-608FJ.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\odit\is-87DH1.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\is-G4SR0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-68SK2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SLEQ9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GKVL8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-IQPFF.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Est\odit\Et.exe	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\odit\is-I3B90.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-LH62P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-K9QR7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3PRSJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0U99V.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\odit\is-TGR06.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\odit\is-DUN8A.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\Est\unins000.dat	fires_258452962.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-6U2U2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1KHN9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QQ0OQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-UCILD.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-VTC3P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-7MOD4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-MI5F6.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\is-989KT.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SRM0K.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SIK5G.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\illo\is-KVCD2.tmp	fires_258452962.tmp
File created	C:\Program Files (x86)\Est\odit\is-32EUR.tmp	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TGDF5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-RKFO6.tmp	vpn.tmp
File created	C:\Program Files (x86)\Est\unins000.dat	fires_258452962.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-U049R.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-K3810.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-2GIHG.tmp	vpn.tmp

Drops file in Windows directory 26 IoCs

Processes:

msiexec.exeDrvInst.exesvchost.exeaipackagechainer.exetapinstall.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI4A6D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Installer\MSI4A0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5252.tmp	msiexec.exe
File created	C:\Windows\Installer\f754121.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4826.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21B.tmp	msiexec.exe
File created	C:\Windows\Tasks\.job	aipackagechainer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\f754121.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4912.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EB5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1988	3376	WerFault.exe	Et.exe
3804	3376	WerFault.exe	Et.exe
1468	3376	WerFault.exe	Et.exe
3700	3376	WerFault.exe	Et.exe
1220	3376	WerFault.exe	Et.exe
3192	3376	WerFault.exe	Et.exe
3876	3376	WerFault.exe	Et.exe
1224	3376	WerFault.exe	Et.exe
1432	3376	WerFault.exe	Et.exe
2472	3376	WerFault.exe	Et.exe
2736	3376	WerFault.exe	Et.exe
1576	3376	WerFault.exe	Et.exe
3564	3376	WerFault.exe	Et.exe
1912	3376	WerFault.exe	Et.exe
2136	3376	WerFault.exe	Et.exe
3892	3376	WerFault.exe	Et.exe
3044	3376	WerFault.exe	Et.exe
1796	3376	WerFault.exe	Et.exe
2216	3376	WerFault.exe	Et.exe
3848	3376	WerFault.exe	Et.exe
2496	3376	WerFault.exe	Et.exe
1460	3376	WerFault.exe	Et.exe
588	3376	WerFault.exe	Et.exe
516	3376	WerFault.exe	Et.exe
4060	3376	WerFault.exe	Et.exe
1672	3376	WerFault.exe	Et.exe
1592	3376	WerFault.exe	Et.exe
3940	3376	WerFault.exe	Et.exe
2464	3376	WerFault.exe	Et.exe
2196	3376	WerFault.exe	Et.exe
2976	3376	WerFault.exe	Et.exe
584	3376	WerFault.exe	Et.exe
2036	3376	WerFault.exe	Et.exe
2032	3376	WerFault.exe	Et.exe
212	3376	WerFault.exe	Et.exe
3096	3376	WerFault.exe	Et.exe
3968	3376	WerFault.exe	Et.exe
4620	3376	WerFault.exe	Et.exe
4720	3376	WerFault.exe	Et.exe
4808	3376	WerFault.exe	Et.exe
5004	3376	WerFault.exe	Et.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exesvchost.exeDrvInst.exetapinstall.exeDrvInst.exetapinstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4300 timeout.exe
2332 timeout.exe
4344 timeout.exe

pid	process
4300	timeout.exe
2332	timeout.exe
4344	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exeDrvInst.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-572 = "China Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	mask_svc.exe

Modifies registry class 9 IoCs

Processes:

7zG.exevpn.tmpEt.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Et.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	vpn.tmp

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tapinstall.exeu9KDbtfva5XjKPsI.exevpn.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	u9KDbtfva5XjKPsI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	u9KDbtfva5XjKPsI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	u9KDbtfva5XjKPsI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	u9KDbtfva5XjKPsI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	u9KDbtfva5XjKPsI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	u9KDbtfva5XjKPsI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	u9KDbtfva5XjKPsI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4664 PING.EXE

pid	process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fires_258452962.tmpEt.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1680	fires_258452962.tmp
1680	fires_258452962.tmp
3376	Et.exe
3376	Et.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exevpn.tmpWerFault.exeWerFault.exe925406572.exeWerFault.exeWerFault.exemsiexec.exeu9KDbtfva5XjKPsI.exe

description	pid	process
Token: SeRestorePrivilege	1988	WerFault.exe
Token: SeBackupPrivilege	1988	WerFault.exe
Token: SeDebugPrivilege	1988	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	1468	WerFault.exe
Token: SeDebugPrivilege	3700	WerFault.exe
Token: SeDebugPrivilege	1220	WerFault.exe
Token: SeDebugPrivilege	3192	WerFault.exe
Token: SeDebugPrivilege	3876	WerFault.exe
Token: SeDebugPrivilege	1224	WerFault.exe
Token: SeDebugPrivilege	1432	WerFault.exe
Token: SeDebugPrivilege	2472	WerFault.exe
Token: SeDebugPrivilege	2736	WerFault.exe
Token: SeDebugPrivilege	1576	WerFault.exe
Token: SeDebugPrivilege	3564	WerFault.exe
Token: SeDebugPrivilege	1912	WerFault.exe
Token: SeDebugPrivilege	2136	WerFault.exe
Token: SeDebugPrivilege	3892	WerFault.exe
Token: SeDebugPrivilege	3044	WerFault.exe
Token: SeDebugPrivilege	1796	WerFault.exe
Token: SeDebugPrivilege	2216	WerFault.exe
Token: SeDebugPrivilege	3848	WerFault.exe
Token: SeDebugPrivilege	2496	WerFault.exe
Token: SeDebugPrivilege	1460	WerFault.exe
Token: SeDebugPrivilege	588	WerFault.exe
Token: SeDebugPrivilege	516	WerFault.exe
Token: SeDebugPrivilege	4060	WerFault.exe
Token: SeDebugPrivilege	1672	WerFault.exe
Token: SeDebugPrivilege	1592	WerFault.exe
Token: SeDebugPrivilege	3940	WerFault.exe
Token: SeDebugPrivilege	2464	WerFault.exe
Token: SeDebugPrivilege	2196	WerFault.exe
Token: SeDebugPrivilege	2976	WerFault.exe
Token: SeDebugPrivilege	584	WerFault.exe
Token: SeDebugPrivilege	2036	WerFault.exe
Token: SeDebugPrivilege	1516	vpn.tmp
Token: SeDebugPrivilege	2032	WerFault.exe
Token: SeDebugPrivilege	1516	vpn.tmp
Token: SeDebugPrivilege	212	WerFault.exe
Token: SeDebugPrivilege	1760	925406572.exe
Token: SeDebugPrivilege	3096	WerFault.exe
Token: SeDebugPrivilege	3968	WerFault.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeCreateTokenPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeAssignPrimaryTokenPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeLockMemoryPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeIncreaseQuotaPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeMachineAccountPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeTcbPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeSecurityPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeTakeOwnershipPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeLoadDriverPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeSystemProfilePrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeSystemtimePrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeProfSingleProcessPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeIncBasePriorityPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeCreatePagefilePrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeCreatePermanentPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeBackupPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeRestorePrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeShutdownPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeDebugPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeAuditPrivilege	3824	u9KDbtfva5XjKPsI.exe
Token: SeSystemEnvironmentPrivilege	3824	u9KDbtfva5XjKPsI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

fires_258452962.tmpvpn.tmpu9KDbtfva5XjKPsI.exe

pid	process
1680	fires_258452962.tmp
1516	vpn.tmp
3824	u9KDbtfva5XjKPsI.exe
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp
1516	vpn.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeMaskVPNUpdate.exe

pid process

2920 OpenWith.exe
4340 MaskVPNUpdate.exe

pid	process
2920	OpenWith.exe
4340	MaskVPNUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fires_258452962.exefires_258452962.tmpEt.exevpn.exeqZ0RXW.exevpn.tmp925406572.execmd.exemsiexec.execmd.exeu9KDbtfva5XjKPsI.exe1275649726.exesvchost.execmd.exe

description	pid	process	target process
PID 700 wrote to memory of 1680	700	fires_258452962.exe	fires_258452962.tmp
PID 700 wrote to memory of 1680	700	fires_258452962.exe	fires_258452962.tmp
PID 700 wrote to memory of 1680	700	fires_258452962.exe	fires_258452962.tmp
PID 1680 wrote to memory of 3376	1680	fires_258452962.tmp	Et.exe
PID 1680 wrote to memory of 3376	1680	fires_258452962.tmp	Et.exe
PID 1680 wrote to memory of 3376	1680	fires_258452962.tmp	Et.exe
PID 3376 wrote to memory of 2268	3376	Et.exe	qZ0RXW.exe
PID 3376 wrote to memory of 2268	3376	Et.exe	qZ0RXW.exe
PID 3376 wrote to memory of 2268	3376	Et.exe	qZ0RXW.exe
PID 3376 wrote to memory of 576	3376	Et.exe	vpn.exe
PID 3376 wrote to memory of 576	3376	Et.exe	vpn.exe
PID 3376 wrote to memory of 576	3376	Et.exe	vpn.exe
PID 576 wrote to memory of 1516	576	vpn.exe	vpn.tmp
PID 576 wrote to memory of 1516	576	vpn.exe	vpn.tmp
PID 576 wrote to memory of 1516	576	vpn.exe	vpn.tmp
PID 2268 wrote to memory of 1760	2268	qZ0RXW.exe	925406572.exe
PID 2268 wrote to memory of 1760	2268	qZ0RXW.exe	925406572.exe
PID 2268 wrote to memory of 1760	2268	qZ0RXW.exe	925406572.exe
PID 3376 wrote to memory of 3824	3376	Et.exe	u9KDbtfva5XjKPsI.exe
PID 3376 wrote to memory of 3824	3376	Et.exe	u9KDbtfva5XjKPsI.exe
PID 3376 wrote to memory of 3824	3376	Et.exe	u9KDbtfva5XjKPsI.exe
PID 1516 wrote to memory of 2260	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 2260	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 2260	1516	vpn.tmp	cmd.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 1760 wrote to memory of 2676	1760	925406572.exe	AddInProcess32.exe
PID 2260 wrote to memory of 2784	2260	cmd.exe	tapinstall.exe
PID 2260 wrote to memory of 2784	2260	cmd.exe	tapinstall.exe
PID 1776 wrote to memory of 3932	1776	msiexec.exe	MsiExec.exe
PID 1776 wrote to memory of 3932	1776	msiexec.exe	MsiExec.exe
PID 1776 wrote to memory of 3932	1776	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1896	2268	qZ0RXW.exe	1275649726.exe
PID 2268 wrote to memory of 1896	2268	qZ0RXW.exe	1275649726.exe
PID 2268 wrote to memory of 1896	2268	qZ0RXW.exe	1275649726.exe
PID 1516 wrote to memory of 4184	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 4184	1516	vpn.tmp	cmd.exe
PID 1516 wrote to memory of 4184	1516	vpn.tmp	cmd.exe
PID 4184 wrote to memory of 4284	4184	cmd.exe	tapinstall.exe
PID 4184 wrote to memory of 4284	4184	cmd.exe	tapinstall.exe
PID 3824 wrote to memory of 4352	3824	u9KDbtfva5XjKPsI.exe	msiexec.exe
PID 3824 wrote to memory of 4352	3824	u9KDbtfva5XjKPsI.exe	msiexec.exe
PID 3824 wrote to memory of 4352	3824	u9KDbtfva5XjKPsI.exe	msiexec.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 1896 wrote to memory of 4392	1896	1275649726.exe	AddInProcess32.exe
PID 2268 wrote to memory of 4516	2268	qZ0RXW.exe	cmd.exe
PID 2268 wrote to memory of 4516	2268	qZ0RXW.exe	cmd.exe
PID 2268 wrote to memory of 4516	2268	qZ0RXW.exe	cmd.exe
PID 4496 wrote to memory of 4536	4496	svchost.exe	DrvInst.exe
PID 4496 wrote to memory of 4536	4496	svchost.exe	DrvInst.exe
PID 4516 wrote to memory of 4664	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 4664	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 4664	4516	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

4636 attrib.exe
4612 attrib.exe
1364 attrib.exe
4460 attrib.exe

pid	process
4636	attrib.exe
4612	attrib.exe
1364	attrib.exe
4460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fires_258452962.exe
"C:\Users\Admin\AppData\Local\Temp\fires_258452962.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\is-FNPKC.tmp\fires_258452962.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FNPKC.tmp\fires_258452962.tmp" /SL5="$20120,4313631,119296,C:\Users\Admin\AppData\Local\Temp\fires_258452962.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files (x86)\Est\odit\Et.exe
"C:\Program Files (x86)\Est/\odit\Et.exe" 31a9b403cadb2d356a3db6e4467af31a
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1000
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 980
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1044
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1148
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1180
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1132
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1212
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1356
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1320
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1004
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1288
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1488
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1336
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1476
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1508
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1548
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1512
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1728
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1668
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1684
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1748
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1728
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1776
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1820
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1836
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1764
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1856
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1480
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2012
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Users\Admin\AppData\Local\Temp\1g8N8Qzs\qZ0RXW.exe
C:\Users\Admin\AppData\Local\Temp\1g8N8Qzs\qZ0RXW.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\925406572.exe
C:\Users\Admin\AppData\Local\Temp\925406572.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\1275649726.exe
C:\Users\Admin\AppData\Local\Temp\1275649726.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\1g8N8Qzs\qZ0RXW.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\PING.EXE
ping 0
6⤵
- Runs ping.exe
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2052
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2136
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\mN6EExPU\vpn.exe
C:\Users\Admin\AppData\Local\Temp\mN6EExPU\vpn.exe /silent /subid=510x31a9b403cadb2d356a3db6e4467af31a
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\is-BL1M0.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BL1M0.tmp\vpn.tmp" /SL5="$102D8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\mN6EExPU\vpn.exe" /silent /subid=510x31a9b403cadb2d356a3db6e4467af31a
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:4284

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5104

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2108
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2132
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1956
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\SDiHvdnb\u9KDbtfva5XjKPsI.exe
C:\Users\Admin\AppData\Local\Temp\SDiHvdnb\u9KDbtfva5XjKPsI.exe /quiet SILENT=1 AF=721__31a9b403cadb2d356a3db6e4467af31a
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=721__31a9b403cadb2d356a3db6e4467af31a AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\SDiHvdnb\u9KDbtfva5XjKPsI.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\SDiHvdnb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1615311348 /quiet SILENT=1 AF=721__31a9b403cadb2d356a3db6e4467af31a " AF="721__31a9b403cadb2d356a3db6e4467af31a" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
5⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1896
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2100
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2120
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1740
4⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1988
4⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2040
4⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1208
4⤵
- Program crash
PID:5004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3137AF7DD31B84C50C316C4947923D05 C
2⤵
- Loads dropped DLL
PID:3932

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DD186933F8FB5CE9901BD34E47CDA58B
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4920

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:3384

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=721__31a9b403cadb2d356a3db6e4467af31a -BF=default -uncf=default
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4280

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4180

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffc335d9ec0,0x7ffc335d9ed0,0x7ffc335d9ee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4940

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1648,17014202628813900224,7129117010246363704,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4180_33192204" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1696 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4700

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,17014202628813900224,7129117010246363704,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4180_33192204" --mojo-platform-channel-handle=1752 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3416

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1648,17014202628813900224,7129117010246363704,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4180_33192204" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2612 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4416

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,17014202628813900224,7129117010246363704,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4180_33192204" --mojo-platform-channel-handle=2112 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3880

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1648,17014202628813900224,7129117010246363704,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4180_33192204" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1812 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4312

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,17014202628813900224,7129117010246363704,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4180_33192204" --mojo-platform-channel-handle=3116 /prefetch:8
5⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE41A8.bat" "
3⤵
PID:4916

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:4612

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4300

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE41A8.bat"
4⤵
- Views/modifies file attributes
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE41A8.bat" "
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE41E8.bat" "
3⤵
PID:4228

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:4636

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4344

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2332

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE41E8.bat"
4⤵
- Views/modifies file attributes
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE41E8.bat" "
4⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:2300

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{27eb3892-e5c8-4f46-9acc-8346d629284b}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4536

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4772

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4824

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4836

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:3980

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\FireSkull Hack.rar\" -ad -an -ai#7zMap5761:98:7zEvent21266
1⤵
- Modifies registry class
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Est\odit\Et.exe
MD5
7249e0f3529560fc42e651f28ab106fd

SHA1
27a616b4ded4b54139cfd51eab9ebeadf1e66b6f

SHA256
05c08274684001e2822b82293939350a2ba44b0f18a2772bb5364bfc0e13a2b3

SHA512
154921a42c24c81d28702537f1209ff9d8b96706ed0502705e6113ab8d90de5ee4c2847186520dec1a8d714e945af6d0da480c11765f34e1351c39a6401ba7df

Download Submit
C:\Program Files (x86)\Est\odit\Et.exe
MD5
7249e0f3529560fc42e651f28ab106fd

SHA1
27a616b4ded4b54139cfd51eab9ebeadf1e66b6f

SHA256
05c08274684001e2822b82293939350a2ba44b0f18a2772bb5364bfc0e13a2b3

SHA512
154921a42c24c81d28702537f1209ff9d8b96706ed0502705e6113ab8d90de5ee4c2847186520dec1a8d714e945af6d0da480c11765f34e1351c39a6401ba7df

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\install.bat
MD5
3a05ce392d84463b43858e26c48f9cbf

SHA1
78f624e2c81c3d745a45477d61749b8452c129f1

SHA256
5b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b

SHA512
8a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
0f5cd725d7cbb3f09f80bd32441fe113

SHA1
014b88b5cf3929acd31eee5863a2d705aa8720c7

SHA256
4501e17c428e51902a669585415f646eaa933f5386f598629dd05117ef70fb51

SHA512
06bd105d3e2ad3951287e91de3d77cdfb8e27eb00288fae961b0f47bfb0ee9ad81a1a846d92f4d216c9d69a1d155de5b2e87444a2ac62d04bcdc887085beed8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
MD5
562512f6351fe76fb093932872a51d5e

SHA1
f05042143fe221bed38fcdbdf50d9ef2f9ce3c14

SHA256
a80f0b79a13a940a301f42525daab2673500a40066a4d3ca0126e0926b075197

SHA512
5bae5b862fb7e48c0a15c71857d2f2d40a1791e2b14595bf6d99f29374f96e6ac1daa6eb58e289bf518e3a234a3683cdce19655fb594394069823efa8f546a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
cfeef8ec4f80b50ddb80d4fe9540aa76

SHA1
cbdf0cefa6c6841dd3bdd6d5af28b642c7ffdcf5

SHA256
414f3a831fffd27f768e023eaa404aea67833f042bf95840084d94822e968562

SHA512
02bc825facbc519eb6bf444230551e92283af34ea0ba6d0bea89a8edab7fde5e3d696533965fd4700c1e3ac1aee6304148d2613e154702e073d35b5035716c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
d661862cb8774d8057da1d6728d13b4b

SHA1
73ba14bce51a76e92314bbfdc4e83b4a592707a7

SHA256
88ae717f2b667c8fb786a1f0461b2b5278e846f605582cb867a7de52eb3f3d7e

SHA512
6feadfc6ce3419a2b1612edd370f2cbdec7ee901d290d8a96113ccc6d79bbe9fff7ed6738075b82da89ae457735951aaaa63e17ba35d3644a3ee81764974aee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
MD5
772b022634e734d9e5653b22bcea30f7

SHA1
e6bcfe9d6036a5e4279178b318a298e27c02a8f5

SHA256
667637a0db3c3869654ceff7659b8375a9df9fd1908293ebead369ea55b920e5

SHA512
caf89523be608f62151271f7e35b5d325df184f47fac6bcf2b096af0bf413350460a194d9084c479cb01bf1d9b28eab6a99d61266969ee75eb213ded5a68711e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
a405e9f4ae6fe4c0c681917360478e10

SHA1
2d51c5fa18158da9853e3ec9146ab851fe7b20fe

SHA256
0c18aafac94601791f5f78c34dc96a3b9ebbb95e3b4ce14140a07c4cf2fe78d8

SHA512
7e91740840ae6f587c092ce402d05e779cf1b9186a3307842c9dd1bb6109cf49400761dc5c755ba1eefcf99ac6147aa58e9ea01a6f176378b39208b64f8a7283

Download Submit
C:\Users\Admin\AppData\Local\Temp\1275649726.exe
MD5
8a71134b5eec8d2bbf849a291b63246d

SHA1
bef03f05daad824da570594d183e233193d07bca

SHA256
36872a3b93b4173cbd71fe1955ae787a62e3e8dfc46a035cf406c06b8bcc66cf

SHA512
408cc8d88afd45e7e0bd52f46560f5ef721dafe703007c140b0fa696615a480e1155726e479ca829023f2d076b7d1401fd99008bbf11c13d3922d1c633218831

Download Submit
C:\Users\Admin\AppData\Local\Temp\1275649726.exe
MD5
8a71134b5eec8d2bbf849a291b63246d

SHA1
bef03f05daad824da570594d183e233193d07bca

SHA256
36872a3b93b4173cbd71fe1955ae787a62e3e8dfc46a035cf406c06b8bcc66cf

SHA512
408cc8d88afd45e7e0bd52f46560f5ef721dafe703007c140b0fa696615a480e1155726e479ca829023f2d076b7d1401fd99008bbf11c13d3922d1c633218831

Download Submit
C:\Users\Admin\AppData\Local\Temp\1g8N8Qzs\qZ0RXW.exe
MD5
8c03063314b0aa3d6a7d26c1f6db60b4

SHA1
6955952347314e7e19895778af232b14a15c736d

SHA256
8378458c45be220207b12b7dbeeee4fcd9a4c4f51973d828834b418ded6e781f

SHA512
d55407a63928afa38612e58fef7253452cc799f8659c4a78e93ba94b2d07feb7a2e47e1294b79879b440fe5bc8ad0d8c7563a6d4e1a0e2d31aa9424c009f9839

Download Submit
C:\Users\Admin\AppData\Local\Temp\1g8N8Qzs\qZ0RXW.exe
MD5
8c03063314b0aa3d6a7d26c1f6db60b4

SHA1
6955952347314e7e19895778af232b14a15c736d

SHA256
8378458c45be220207b12b7dbeeee4fcd9a4c4f51973d828834b418ded6e781f

SHA512
d55407a63928afa38612e58fef7253452cc799f8659c4a78e93ba94b2d07feb7a2e47e1294b79879b440fe5bc8ad0d8c7563a6d4e1a0e2d31aa9424c009f9839

Download Submit
C:\Users\Admin\AppData\Local\Temp\925406572.exe
MD5
8f42d6ac2ff0bd507f77fc6f2077ecae

SHA1
3f6eb11f4dc112aed5aac9fe3feb78f77e068c93

SHA256
cb1c124f7c5ee7ff7e260a15a4c8dcbce9dc4d3c3f4a1bbc54fda408970d045f

SHA512
2de3ab74384d24ccc5ae083dda82956d722f87e5d0b06ee183a42b92c8a881758940b773e2aa19ecb0a0b22c0b5522e60700604011f12cb2e72c06722864daa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\925406572.exe
MD5
8f42d6ac2ff0bd507f77fc6f2077ecae

SHA1
3f6eb11f4dc112aed5aac9fe3feb78f77e068c93

SHA256
cb1c124f7c5ee7ff7e260a15a4c8dcbce9dc4d3c3f4a1bbc54fda408970d045f

SHA512
2de3ab74384d24ccc5ae083dda82956d722f87e5d0b06ee183a42b92c8a881758940b773e2aa19ecb0a0b22c0b5522e60700604011f12cb2e72c06722864daa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI34BE.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3878.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3982.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDiHvdnb\u9KDbtfva5XjKPsI.exe
MD5
208eb0912e5b6bcd0fa6f4f3d3b6f4f9

SHA1
d9f80e863a0435a991f601da93fcec3d4a813405

SHA256
e7d29e072c40ce7fbe34fbf7d32d38166c56299954d33c39acfbcafb1f18e93a

SHA512
d1cafd13483724fae43b81e9889a44462f51b6b16c23a30750264c8d5c435665ddacf0b10df2659fb4a7ed79efa2e89480ee1102a3d798492ba5da9d3d36e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDiHvdnb\u9KDbtfva5XjKPsI.exe
MD5
208eb0912e5b6bcd0fa6f4f3d3b6f4f9

SHA1
d9f80e863a0435a991f601da93fcec3d4a813405

SHA256
e7d29e072c40ce7fbe34fbf7d32d38166c56299954d33c39acfbcafb1f18e93a

SHA512
d1cafd13483724fae43b81e9889a44462f51b6b16c23a30750264c8d5c435665ddacf0b10df2659fb4a7ed79efa2e89480ee1102a3d798492ba5da9d3d36e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BL1M0.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BL1M0.tmp\vpn.tmp
MD5
08ae6b558839412d71c7e63c2ccee469

SHA1
8864aada0d862a58bd94bcdaedb7cd5bb7747a00

SHA256
45a8436696aeff3ffd6e502ee9709dcffd4ee6967c873b89c634233dbb3b9834

SHA512
1b41a4be48ba8a3cd48b11085faf1124c220fc74cea76976ce52875954f3bcfa857954d3914805db4ffdc32b562b2afbed1ed58668ed4d6e5628bf6c67a9cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FNPKC.tmp\fires_258452962.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FNPKC.tmp\fires_258452962.tmp
MD5
ce9501d639d11ab993d448910aefe479

SHA1
0b411ca79303059eddc490d9cfda27c135bbd9d8

SHA256
b97c3a288eeac5924616e5a0746f5608741d8428bfbbcaa7cd4b41026d6256fd

SHA512
945f6a1e6de5ae03dcd1e76d39320fea95c0f9fad3181bfd18770793f34573eaca9659fc9b1f765efeaa64ef75c1d5dab06438628c646d993a1ab6b6f6a3ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\mN6EExPU\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mN6EExPU\vpn.exe
MD5
a9487e1960820eb2ba0019491d3b08ce

SHA1
349b4568ddf57b5c6c1e4a715b27029b287b3b4a

SHA256
123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776

SHA512
dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{27EB3~1\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{27EB3~1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{27eb3892-e5c8-4f46-9acc-8346d629284b}\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi
MD5
3af865e33a6e36a5032bbc1e90d3bd6c

SHA1
e55a9015ebca7e35025ebdc45bcc66cb2a2d7517

SHA256
aa331b692e66a8c0b7dc1f79ed02a550b583d47b19d749b4dbf942aecf75e5ae

SHA512
bd9cb033b4ff767a2e8a93d089be57349a8240d3c42f716c46f6a78607636d198d65b4b58c308046806be0e42177f34324508ed12faaa71465f782617b5e7cc3

Download Submit
C:\Windows\INF\oem2.PNF
MD5
06680db4c9c9899a5ebeaeda7b0067de

SHA1
875ebfc48aa1c2d44e35e635be1b23e4d49bbe9e

SHA256
34d330e5f72af7e75e3acc532001d524219158427b5705fe8f0b60c5e1b4a929

SHA512
24b4f348bdcf993d9587bafde53452452161ae8a117cecdbed9792231dff44b0525be4bf8e90a52d9239b9ce4b6b4e4870fc46556a6a4ccb9749e357b51459f3

Download Submit
C:\Windows\INF\oem2.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\Installer\MSI44F9.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Windows\Installer\MSI4826.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Windows\Installer\MSI4912.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Windows\Installer\MSI49DE.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\OEMVIS~1.INF\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\??\c:\PROGRA~2\maskvpn\driver\win764\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\maskvpn\driver\win764\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Users\Admin\AppData\Local\Temp\MSI34BE.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3878.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3982.tmp
MD5
e922ff8f49a4734f442bcd26b4a05ba8

SHA1
13e0dcc761282b31a9e21118035768cf75145045

SHA256
f2fd2ccb8d8412753ca7aa3d402f29b8280bbd4f7170d53f613e05f742f13a22

SHA512
0d395483f4ac9af3f011990612517641d4e6734e184faa0f17b4525aab729350ad5b9737a1c0f0164ec81775a41fb21dc90b72609a7ab25a37c4d2a19f253a0e

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1S89.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1S89.tmp\_isetup\_isdecmp.dll
MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1S89.tmp\_isetup\_isdecmp.dll
MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-AAB2S.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll
MD5
fddee40c512e40f05ed565f1a00e85f1

SHA1
2f0096e7418d19d8df8515f9899e87ca6671b517

SHA256
f7ab1e969edfece0c89bd4d79ce3cc70ff46e460da4d9d90b1ef91f3a0716265

SHA512
6845cb0f841572e7c516b8401eab4aadcdd492613ffb09ccd07ce254d6748ddde4b3b566b3e8fb2ea841c8fd5977d6f1fddaadda81e0f39d8736323e750c8127

Download Submit
\Windows\Installer\MSI44F9.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Windows\Installer\MSI4826.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
\Windows\Installer\MSI4912.tmp
MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
memory/212-83-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/516-41-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/576-62-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/576-52-0x0000000000000000-mapping.dmp

Download
memory/584-55-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/588-40-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/700-4-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1220-22-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/1224-25-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1364-229-0x0000000000000000-mapping.dmp

Download
memory/1432-26-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1460-39-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/1468-20-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1516-61-0x0000000007401000-0x00000000075E6000-memory.dmp

Filesize
1.9MB

Download
memory/1516-56-0x0000000000000000-mapping.dmp

Download
memory/1516-64-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1516-77-0x0000000009571000-0x000000000957D000-memory.dmp

Filesize
48KB

Download
memory/1516-63-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1516-74-0x00000000093E1000-0x00000000093E9000-memory.dmp

Filesize
32KB

Download
memory/1516-86-0x00000000093D0000-0x00000000093D1000-memory.dmp

Filesize
4KB

Download
memory/1576-29-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1592-44-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1672-43-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1680-2-0x0000000000000000-mapping.dmp

Download
memory/1680-8-0x0000000003301000-0x0000000003303000-memory.dmp

Filesize
8KB

Download
memory/1680-5-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1760-88-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1760-89-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1760-91-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1760-69-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-78-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1760-65-0x0000000000000000-mapping.dmp

Download
memory/1796-35-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/1896-107-0x0000000000000000-mapping.dmp

Download
memory/1896-125-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1896-110-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/1896-111-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1912-31-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1988-17-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2032-67-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2036-58-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2136-32-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/2196-49-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2216-36-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/2260-92-0x0000000000000000-mapping.dmp

Download
memory/2268-47-0x0000000000000000-mapping.dmp

Download
memory/2300-458-0x0000000000000000-mapping.dmp

Download
memory/2332-230-0x0000000000000000-mapping.dmp

Download
memory/2464-46-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2472-27-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2496-38-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/2676-213-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/2676-97-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-185-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/2676-179-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/2676-207-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/2676-175-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2676-174-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2676-173-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/2676-211-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/2676-93-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2676-215-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2676-94-0x000000000041F39E-mapping.dmp

Download
memory/2676-123-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2676-205-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/2736-28-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2784-103-0x0000000000000000-mapping.dmp

Download
memory/2976-51-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/3044-34-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3096-87-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3192-23-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3376-11-0x0000000000000000-mapping.dmp

Download
memory/3376-16-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/3376-14-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3376-13-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3376-15-0x0000000000400000-0x0000000001644000-memory.dmp

Filesize
18.3MB

Download
memory/3384-217-0x0000000000000000-mapping.dmp

Download
memory/3416-237-0x0000020B95250000-0x0000020B95251000-memory.dmp

Filesize
4KB

Download
memory/3416-232-0x0000000000000000-mapping.dmp

Download
memory/3564-30-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/3700-21-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/3804-19-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/3824-80-0x0000000000000000-mapping.dmp

Download
memory/3824-95-0x0000000005290000-0x0000000005296000-memory.dmp

Filesize
24KB

Download
memory/3848-37-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3876-24-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/3880-233-0x0000000000000000-mapping.dmp

Download
memory/3880-236-0x000002238E640000-0x000002238E641000-memory.dmp

Filesize
4KB

Download
memory/3892-33-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3932-104-0x0000000000000000-mapping.dmp

Download
memory/3940-45-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/3968-90-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/3980-196-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/3980-195-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/3980-202-0x0000000033AB1000-0x0000000033C30000-memory.dmp

Filesize
1.5MB

Download
memory/3980-200-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/3980-204-0x00000000345A1000-0x00000000345DF000-memory.dmp

Filesize
248KB

Download
memory/3980-203-0x0000000034441000-0x000000003452A000-memory.dmp

Filesize
932KB

Download
memory/4016-252-0x0000000000000000-mapping.dmp

Download
memory/4060-42-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4180-221-0x0000000000000000-mapping.dmp

Download
memory/4184-116-0x0000000000000000-mapping.dmp

Download
memory/4228-223-0x0000000000000000-mapping.dmp

Download
memory/4280-220-0x0000000000000000-mapping.dmp

Download
memory/4284-122-0x0000000000000000-mapping.dmp

Download
memory/4300-226-0x0000000000000000-mapping.dmp

Download
memory/4312-325-0x00000216918E0000-0x00000216918E1000-memory.dmp

Filesize
4KB

Download
memory/4312-324-0x0000000000000000-mapping.dmp

Download
memory/4312-328-0x00000216918E0000-0x00000216918E1000-memory.dmp

Filesize
4KB

Download
memory/4312-327-0x00000216918E0000-0x00000216918E1000-memory.dmp

Filesize
4KB

Download
memory/4312-326-0x00000216918E0000-0x00000216918E1000-memory.dmp

Filesize
4KB

Download
memory/4340-551-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-373-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-486-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-516-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-474-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-475-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-473-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-472-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4340-471-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-460-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-512-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-507-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-493-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-554-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-537-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-492-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-557-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-543-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-491-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-549-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-452-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-550-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-487-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-555-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-485-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-323-0x0000000000000000-mapping.dmp

Download
memory/4340-418-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-465-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-395-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-383-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-553-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-338-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-336-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-335-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-332-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4340-333-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4340-334-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4344-227-0x0000000000000000-mapping.dmp

Download
memory/4352-218-0x0000000004EC0000-0x0000000004EC4000-memory.dmp

Filesize
16KB

Download
memory/4352-130-0x0000000000000000-mapping.dmp

Download
memory/4380-517-0x000001A9ED330000-0x000001A9ED331000-memory.dmp

Filesize
4KB

Download
memory/4380-515-0x0000000000000000-mapping.dmp

Download
memory/4392-209-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/4392-134-0x000000000041F38A-mapping.dmp

Download
memory/4392-146-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4392-135-0x00000000710C0000-0x00000000717AE000-memory.dmp

Filesize
6.9MB

Download
memory/4392-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4400-187-0x0000000000000000-mapping.dmp

Download
memory/4400-188-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/4400-189-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/4400-194-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/4416-234-0x0000000000000000-mapping.dmp

Download
memory/4416-240-0x000002441AD00000-0x000002441AD01000-memory.dmp

Filesize
4KB

Download
memory/4460-435-0x0000000000000000-mapping.dmp

Download
memory/4516-141-0x0000000000000000-mapping.dmp

Download
memory/4536-140-0x0000000000000000-mapping.dmp

Download
memory/4568-453-0x0000000000000000-mapping.dmp

Download
memory/4612-224-0x0000000000000000-mapping.dmp

Download
memory/4620-145-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/4636-225-0x0000000000000000-mapping.dmp

Download
memory/4664-147-0x0000000000000000-mapping.dmp

Download
memory/4700-235-0x00000110A1620000-0x00000110A1621000-memory.dmp

Filesize
4KB

Download
memory/4700-231-0x0000000000000000-mapping.dmp

Download
memory/4720-154-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4772-156-0x0000000000000000-mapping.dmp

Download
memory/4808-160-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/4916-222-0x0000000000000000-mapping.dmp

Download
memory/4920-161-0x0000000000000000-mapping.dmp

Download
memory/4940-228-0x0000000000000000-mapping.dmp

Download
memory/5004-167-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/5028-248-0x0000000000000000-mapping.dmp

Download
memory/5104-176-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/5104-171-0x0000000000000000-mapping.dmp

Download
memory/5104-177-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5104-178-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download