c91c6c4c1162115c8d7f82f2d9f4098ee61fbe9051d3350b0a2f97fa2ce3e6f2

Resubmissions

02-09-2021 19:12

210902-xwla1aeefq 10

02-09-2021 19:09

210902-xtsbjabea9 8

Analysis

max time kernel
73s
max time network
75s
platform
windows10_x64
resource
win10-fr
submitted
02-09-2021 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anime-Fighters-Infin_734316524.exe
Size

3.9MB
MD5

bd2b73492acf20dec004360b1605032d
SHA1

60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
SHA256

12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
SHA512

dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score

10^/10

discovery suricata upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4360 created 4124 4360 svchost.exe OneDriveSetup.exe
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

description	pid	process	target process
PID 4360 created 4124	4360	svchost.exe	OneDriveSetup.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\ApiTool.dll	acprotect
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\ApiTool.dll	acprotect

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpExpedita.exeOneDriveSetup.exeOneDriveSetup.exez3zKE.exeB7gdH53AO.exevpn.exevpn.tmptapinstall.exetapinstall.exe

pid	process
2476	Anime-Fighters-Infin_734316524.tmp
3332	Expedita.exe
4124	OneDriveSetup.exe
4388	OneDriveSetup.exe
4720	z3zKE.exe
4796	B7gdH53AO.exe
4852	vpn.exe
4916	vpn.tmp
4816	tapinstall.exe
5016	tapinstall.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\ApiTool.dll	upx
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\ApiTool.dll	upx

Loads dropped DLL 17 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpz3zKE.exevpn.tmpMsiExec.exeMsiExec.exe

pid	process
2476	Anime-Fighters-Infin_734316524.tmp
4720	z3zKE.exe
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4112	MsiExec.exe
4112	MsiExec.exe
4112	MsiExec.exe
4924	MsiExec.exe
4924	MsiExec.exe
4924	MsiExec.exe
4924	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exez3zKE.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	z3zKE.exe
File opened (read-only)	\??\L:	z3zKE.exe
File opened (read-only)	\??\V:	z3zKE.exe
File opened (read-only)	\??\Y:	z3zKE.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	z3zKE.exe
File opened (read-only)	\??\X:	z3zKE.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	z3zKE.exe
File opened (read-only)	\??\M:	z3zKE.exe
File opened (read-only)	\??\W:	z3zKE.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	z3zKE.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	z3zKE.exe
File opened (read-only)	\??\G:	z3zKE.exe
File opened (read-only)	\??\H:	z3zKE.exe
File opened (read-only)	\??\N:	z3zKE.exe
File opened (read-only)	\??\P:	z3zKE.exe
File opened (read-only)	\??\R:	z3zKE.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	z3zKE.exe
File opened (read-only)	\??\J:	z3zKE.exe
File opened (read-only)	\??\K:	z3zKE.exe
File opened (read-only)	\??\T:	z3zKE.exe
File opened (read-only)	\??\Z:	z3zKE.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	z3zKE.exe
File opened (read-only)	\??\S:	z3zKE.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	z3zKE.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpAnime-Fighters-Infin_734316524.tmp

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\is-3VE26.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1PT03.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SJ55N.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-B1P4C.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\voluptas\is-C0VHR.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-V9328.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-9A8HG.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-NG9JV.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-T1EVF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EUMUA.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-S5LE9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-NTDLH.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-RNERO.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Vel\magnam\Expedita.exe	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-NO94D.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3UUSE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-B1CBB.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File created	C:\Program Files (x86)\Vel\is-M1FH6.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-LDN4A.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QTD7C.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-V5AV1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-P5EH6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TE4P6.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\is-SLDEG.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-P1UD3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-9TJRE.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\is-HO79T.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GHPR0.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-UOF0D.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-7551D.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-CDLCT.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-MO5H1.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6KVRP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-K8QPK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-54HEL.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\voluptas\is-RHD63.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-858J4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-V8MT4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-UOIM0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-CDTAE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-K3EPO.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-P18TL.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CBS53.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-SO7C2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-B9O91.tmp	vpn.tmp
File created	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\MaskVPN\is-HCPSI.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-990FT.tmp	vpn.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIAE87.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSIAF63.tmp	msiexec.exe
File created	C:\Windows\Installer\f74a8e8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74a8e8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC82.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD9C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4404	4796	WerFault.exe	B7gdH53AO.exe
4512	4796	WerFault.exe	B7gdH53AO.exe
4536	4796	WerFault.exe	B7gdH53AO.exe
2196	4796	WerFault.exe	B7gdH53AO.exe
2868	4796	WerFault.exe	B7gdH53AO.exe
4860	4796	WerFault.exe	B7gdH53AO.exe
924	4796	WerFault.exe	B7gdH53AO.exe
5084	4796	WerFault.exe	B7gdH53AO.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tapinstall.exetapinstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe

Modifies registry class 1 IoCs

Processes:

Expedita.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings Expedita.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	Expedita.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

z3zKE.exevpn.tmptapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	z3zKE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	z3zKE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	z3zKE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	z3zKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	z3zKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	z3zKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	z3zKE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	z3zKE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpExpedita.exeOneDriveStandaloneUpdater.exeOneDriveSetup.exevpn.tmpWerFault.exeWerFault.exeWerFault.exe

pid	process
2476	Anime-Fighters-Infin_734316524.tmp
2476	Anime-Fighters-Infin_734316524.tmp
3332	Expedita.exe
3332	Expedita.exe
864	OneDriveStandaloneUpdater.exe
864	OneDriveStandaloneUpdater.exe
864	OneDriveStandaloneUpdater.exe
864	OneDriveStandaloneUpdater.exe
4124	OneDriveSetup.exe
4124	OneDriveSetup.exe
4124	OneDriveSetup.exe
4124	OneDriveSetup.exe
3332	Expedita.exe
3332	Expedita.exe
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4404	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4512	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe
4536	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

OneDriveSetup.exesvchost.exevpn.tmpmsiexec.exez3zKE.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4124	OneDriveSetup.exe
Token: SeTcbPrivilege	4360	svchost.exe
Token: SeTcbPrivilege	4360	svchost.exe
Token: SeDebugPrivilege	4916	vpn.tmp
Token: SeSecurityPrivilege	5004	msiexec.exe
Token: SeDebugPrivilege	4916	vpn.tmp
Token: SeCreateTokenPrivilege	4720	z3zKE.exe
Token: SeAssignPrimaryTokenPrivilege	4720	z3zKE.exe
Token: SeLockMemoryPrivilege	4720	z3zKE.exe
Token: SeIncreaseQuotaPrivilege	4720	z3zKE.exe
Token: SeMachineAccountPrivilege	4720	z3zKE.exe
Token: SeTcbPrivilege	4720	z3zKE.exe
Token: SeSecurityPrivilege	4720	z3zKE.exe
Token: SeTakeOwnershipPrivilege	4720	z3zKE.exe
Token: SeLoadDriverPrivilege	4720	z3zKE.exe
Token: SeSystemProfilePrivilege	4720	z3zKE.exe
Token: SeSystemtimePrivilege	4720	z3zKE.exe
Token: SeProfSingleProcessPrivilege	4720	z3zKE.exe
Token: SeIncBasePriorityPrivilege	4720	z3zKE.exe
Token: SeCreatePagefilePrivilege	4720	z3zKE.exe
Token: SeCreatePermanentPrivilege	4720	z3zKE.exe
Token: SeBackupPrivilege	4720	z3zKE.exe
Token: SeRestorePrivilege	4720	z3zKE.exe
Token: SeShutdownPrivilege	4720	z3zKE.exe
Token: SeDebugPrivilege	4720	z3zKE.exe
Token: SeAuditPrivilege	4720	z3zKE.exe
Token: SeSystemEnvironmentPrivilege	4720	z3zKE.exe
Token: SeChangeNotifyPrivilege	4720	z3zKE.exe
Token: SeRemoteShutdownPrivilege	4720	z3zKE.exe
Token: SeUndockPrivilege	4720	z3zKE.exe
Token: SeSyncAgentPrivilege	4720	z3zKE.exe
Token: SeEnableDelegationPrivilege	4720	z3zKE.exe
Token: SeManageVolumePrivilege	4720	z3zKE.exe
Token: SeImpersonatePrivilege	4720	z3zKE.exe
Token: SeCreateGlobalPrivilege	4720	z3zKE.exe
Token: SeCreateTokenPrivilege	4720	z3zKE.exe
Token: SeAssignPrimaryTokenPrivilege	4720	z3zKE.exe
Token: SeLockMemoryPrivilege	4720	z3zKE.exe
Token: SeIncreaseQuotaPrivilege	4720	z3zKE.exe
Token: SeMachineAccountPrivilege	4720	z3zKE.exe
Token: SeTcbPrivilege	4720	z3zKE.exe
Token: SeSecurityPrivilege	4720	z3zKE.exe
Token: SeTakeOwnershipPrivilege	4720	z3zKE.exe
Token: SeLoadDriverPrivilege	4720	z3zKE.exe
Token: SeSystemProfilePrivilege	4720	z3zKE.exe
Token: SeSystemtimePrivilege	4720	z3zKE.exe
Token: SeProfSingleProcessPrivilege	4720	z3zKE.exe
Token: SeIncBasePriorityPrivilege	4720	z3zKE.exe
Token: SeCreatePagefilePrivilege	4720	z3zKE.exe
Token: SeCreatePermanentPrivilege	4720	z3zKE.exe
Token: SeBackupPrivilege	4720	z3zKE.exe
Token: SeRestorePrivilege	4720	z3zKE.exe
Token: SeShutdownPrivilege	4720	z3zKE.exe
Token: SeDebugPrivilege	4720	z3zKE.exe
Token: SeAuditPrivilege	4720	z3zKE.exe
Token: SeSystemEnvironmentPrivilege	4720	z3zKE.exe
Token: SeChangeNotifyPrivilege	4720	z3zKE.exe
Token: SeRemoteShutdownPrivilege	4720	z3zKE.exe
Token: SeUndockPrivilege	4720	z3zKE.exe
Token: SeSyncAgentPrivilege	4720	z3zKE.exe
Token: SeEnableDelegationPrivilege	4720	z3zKE.exe
Token: SeManageVolumePrivilege	4720	z3zKE.exe
Token: SeImpersonatePrivilege	4720	z3zKE.exe
Token: SeCreateGlobalPrivilege	4720	z3zKE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpz3zKE.exevpn.tmp

pid	process
2476	Anime-Fighters-Infin_734316524.tmp
4720	z3zKE.exe
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp
4916	vpn.tmp

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Anime-Fighters-Infin_734316524.exeAnime-Fighters-Infin_734316524.tmpOneDriveStandaloneUpdater.exesvchost.exeExpedita.exevpn.exemsiexec.exez3zKE.exevpn.tmpcmd.execmd.exe

description	pid	process	target process
PID 432 wrote to memory of 2476	432	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 432 wrote to memory of 2476	432	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 432 wrote to memory of 2476	432	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 2476 wrote to memory of 3332	2476	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 2476 wrote to memory of 3332	2476	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 2476 wrote to memory of 3332	2476	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 864 wrote to memory of 4124	864	OneDriveStandaloneUpdater.exe	OneDriveSetup.exe
PID 864 wrote to memory of 4124	864	OneDriveStandaloneUpdater.exe	OneDriveSetup.exe
PID 864 wrote to memory of 4124	864	OneDriveStandaloneUpdater.exe	OneDriveSetup.exe
PID 4360 wrote to memory of 4388	4360	svchost.exe	OneDriveSetup.exe
PID 4360 wrote to memory of 4388	4360	svchost.exe	OneDriveSetup.exe
PID 4360 wrote to memory of 4388	4360	svchost.exe	OneDriveSetup.exe
PID 3332 wrote to memory of 4720	3332	Expedita.exe	z3zKE.exe
PID 3332 wrote to memory of 4720	3332	Expedita.exe	z3zKE.exe
PID 3332 wrote to memory of 4720	3332	Expedita.exe	z3zKE.exe
PID 3332 wrote to memory of 4796	3332	Expedita.exe	B7gdH53AO.exe
PID 3332 wrote to memory of 4796	3332	Expedita.exe	B7gdH53AO.exe
PID 3332 wrote to memory of 4796	3332	Expedita.exe	B7gdH53AO.exe
PID 3332 wrote to memory of 4852	3332	Expedita.exe	vpn.exe
PID 3332 wrote to memory of 4852	3332	Expedita.exe	vpn.exe
PID 3332 wrote to memory of 4852	3332	Expedita.exe	vpn.exe
PID 4852 wrote to memory of 4916	4852	vpn.exe	vpn.tmp
PID 4852 wrote to memory of 4916	4852	vpn.exe	vpn.tmp
PID 4852 wrote to memory of 4916	4852	vpn.exe	vpn.tmp
PID 5004 wrote to memory of 4112	5004	msiexec.exe	MsiExec.exe
PID 5004 wrote to memory of 4112	5004	msiexec.exe	MsiExec.exe
PID 5004 wrote to memory of 4112	5004	msiexec.exe	MsiExec.exe
PID 4720 wrote to memory of 3876	4720	z3zKE.exe	msiexec.exe
PID 4720 wrote to memory of 3876	4720	z3zKE.exe	msiexec.exe
PID 4720 wrote to memory of 3876	4720	z3zKE.exe	msiexec.exe
PID 4916 wrote to memory of 2200	4916	vpn.tmp	cmd.exe
PID 4916 wrote to memory of 2200	4916	vpn.tmp	cmd.exe
PID 4916 wrote to memory of 2200	4916	vpn.tmp	cmd.exe
PID 2200 wrote to memory of 4816	2200	cmd.exe	tapinstall.exe
PID 2200 wrote to memory of 4816	2200	cmd.exe	tapinstall.exe
PID 5004 wrote to memory of 4924	5004	msiexec.exe	MsiExec.exe
PID 5004 wrote to memory of 4924	5004	msiexec.exe	MsiExec.exe
PID 5004 wrote to memory of 4924	5004	msiexec.exe	MsiExec.exe
PID 4916 wrote to memory of 4636	4916	vpn.tmp	cmd.exe
PID 4916 wrote to memory of 4636	4916	vpn.tmp	cmd.exe
PID 4916 wrote to memory of 4636	4916	vpn.tmp	cmd.exe
PID 4636 wrote to memory of 5016	4636	cmd.exe	tapinstall.exe
PID 4636 wrote to memory of 5016	4636	cmd.exe	tapinstall.exe

C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\is-KEM27.tmp\Anime-Fighters-Infin_734316524.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KEM27.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$2011E,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2476

C:\Program Files (x86)\Vel\magnam\Expedita.exe
"C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\lvY3hDhG\z3zKE.exe
C:\Users\Admin\AppData\Local\Temp\lvY3hDhG\z3zKE.exe /quiet SILENT=1 AF=606x32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=606x32cb7aca069a0c8bb8d51fccce1d3826 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lvY3hDhG\z3zKE.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lvY3hDhG\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630350493 /quiet SILENT=1 AF=606x32cb7aca069a0c8bb8d51fccce1d3826 " AF="606x32cb7aca069a0c8bb8d51fccce1d3826" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
5⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\fphuXjyc\B7gdH53AO.exe
C:\Users\Admin\AppData\Local\Temp\fphuXjyc\B7gdH53AO.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 652
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 668
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 768
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 808
5⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 884
5⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 904
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1152
5⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1132
5⤵
- Program crash
PID:5084

C:\Users\Admin\AppData\Local\Temp\aEMlrGlz\vpn.exe
C:\Users\Admin\AppData\Local\Temp\aEMlrGlz\vpn.exe /silent /subid=510x32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\is-V830K.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V830K.tmp\vpn.tmp" /SL5="$2030A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\aEMlrGlz\vpn.exe" /silent /subid=510x32cb7aca069a0c8bb8d51fccce1d3826
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:5016

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
6⤵
PID:4844

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
6⤵
PID:5116

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
3⤵
- Executes dropped EXE
PID:4388

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"
4⤵
PID:4028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:4684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C49AADEB894C541E118B022ED9154AD9 C
2⤵
- Loads dropped DLL
PID:4112

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0BB9A25CA0AD2A8DD6D7274AF0C27038
2⤵
- Loads dropped DLL
PID:4924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4264

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5173bf23-fc76-274c-9cf4-836926b05f4f}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:4660

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
PID:2680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4512

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:2316

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MaskVPN\driver\win764\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\install.bat
MD5
3a05ce392d84463b43858e26c48f9cbf

SHA1
78f624e2c81c3d745a45477d61749b8452c129f1

SHA256
5b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b

SHA512
8a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Program Files (x86)\Vel\magnam\Expedita.exe
MD5
8c8b1e33a4bf38b9b76bc1cbb961ed96

SHA1
cd033cf4183b91ab93ffb5ed49ce789b18009054

SHA256
7c5882ad4c9b9b10bd55c37d3390a0f19bba8c198f9db8f4497fe605d725c8a7

SHA512
4a27d39411d56281678b1b0847f2051b50d4d4730445cefe80324ae4c07f46123114b10a2c5f1857fecebf191c4116907a3bb873aba6b061fec401fcc8284e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
519fc8c43a0ba5def02f2676fc8eb8a0

SHA1
af53357ccf33de6b18b413847f4e9292eb72bbb0

SHA256
3cdb094a71194f714b6fdc81af1d6f7550b87e7ddaf55a4f1a363b6a08cdad20

SHA512
2bad17fc954c7b7669da9f88d8e46d3c57be6e4409efddc12ee59931eb5b050e89dd27562435ed9bf370e131037e1048ac639dca56c76404bf97cd12ff4c2a71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
MD5
38760138e77ae21c3c735a9bafd61734

SHA1
f563a1b774c944360608ea94bac3b78349bffba9

SHA256
01f141562ab01ab6899c993b29dba858f24f78400a11c4263aea66cbf4a2f877

SHA512
ebf211786628e740bd0255411e941b0961c104a5b2ed94d937cc5fb8d9ec615d0a55dd0bbe19a0c9bc969c200e848c1704b0e6f032410f9ad59cc123f7e462d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
d14caf4148073d2fdb9e641101c25c70

SHA1
176468688739888ad75460eb4c623d6c456518eb

SHA256
1bf8f46dc9ab4f9b357b2e78724c764bd4023ac3407868c2ccc8ccda0db4a615

SHA512
4addbf37a9360f52547113f4cf55589682388c3f0f99b1a1fc89c30b6670b159f0eba715864bb53fdf10372d5a3967d018282701d724b9005b0a2609d6f89505

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
434ffebf51877c461358417d6fe93c46

SHA1
f8c40855ad0c36a16661c68e7491b73773bc60ee

SHA256
4bce10eefcc31e6cd06dbc0b1457c8bac5c83baad4c428c855aee5bb7ef07b7d

SHA512
d7f2bcf3b6d9a5274af5d87c582812eced6b8604972ae831944c73b5dc75bd9a42a906d1ff64d8c4c61dbc9f7eeb85a647ffa972fac37964f25eee4561e9d7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
MD5
4914f4e0977d6676af3e7237b8f21127

SHA1
fb6714a037bd293270a3210a23276eac0c3a9aff

SHA256
8a9cdef0135c9f125ae7fa53dee5eef8e1fd06041182089a3b37fca8a98b4488

SHA512
e0f5f2ec858373ccfb0ade81da2655fe36d43ae1b8700aff871ad5104c4b52da9106c8bc79f2fe31addd017c6ad1d252fffe7aa6a3a95b2f4079d26473fa911a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
c90de0080240dd407ef3eafc487fad96

SHA1
6d4a5182e921d9bc35bd167cf94b5e6263193865

SHA256
08c98b6523fd119c304612f470e6975c018a74b4ad91f1067ef5e2124ae60221

SHA512
55e5061f7c22888d773db1891c6e587c3048a42ecad5522247f256afa116f8772ebbe333c71071e111a9bbbb9c3c71318e511fa31984e3df593911ef26f09027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5
d8ee8d3b45886a695234069a6629de85

SHA1
49466583dbbed6aff751571bf6f27a0b84f991a1

SHA256
1d96dbb2d5c465185d9a76cf97994152859f6b55d181f9f7c8d69325116c5491

SHA512
0a1294a6314acc8418d5d1a996db225eed0469c48b5f894eb60f5e05a213c414e0a30d24d9031b928df09cf098396afa7e180562ff116ff659970fe4798fec0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5
d8ee8d3b45886a695234069a6629de85

SHA1
49466583dbbed6aff751571bf6f27a0b84f991a1

SHA256
1d96dbb2d5c465185d9a76cf97994152859f6b55d181f9f7c8d69325116c5491

SHA512
0a1294a6314acc8418d5d1a996db225eed0469c48b5f894eb60f5e05a213c414e0a30d24d9031b928df09cf098396afa7e180562ff116ff659970fe4798fec0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5
d8ee8d3b45886a695234069a6629de85

SHA1
49466583dbbed6aff751571bf6f27a0b84f991a1

SHA256
1d96dbb2d5c465185d9a76cf97994152859f6b55d181f9f7c8d69325116c5491

SHA512
0a1294a6314acc8418d5d1a996db225eed0469c48b5f894eb60f5e05a213c414e0a30d24d9031b928df09cf098396afa7e180562ff116ff659970fe4798fec0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
MD5
b8ae21a21014d8da9b779607da282adb

SHA1
d0596ef2a4ed64e1662f4dd8bdad6040e4bc3486

SHA256
d38b9a04ad772e79a0c6e28cf4be02e2dbf95617f80126babaec5e1b444b468b

SHA512
9b419df9e959250d081235e054e56414f07dd37e291fe2ef531924d20699e6339aaf4e9aafc88c2c84447fffae6a65e4149bdb37c85bb9d16f2234e16c67c721

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI968A.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA31D.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA3EA.tmp
MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMlrGlz\vpn.exe
MD5
cecbf60d82c3f39663e579f87d2e0fd2

SHA1
298f56d73ab7e15db752906188cb1f850b043304

SHA256
a4715456dfec2c306480d2b68754e7aae8d6a3e4daf4f61d80eb69fec14dfd03

SHA512
54723cd1241b60b9bb4dddc5621d901c04777f50bfc99624ef6b687d270b4854b2f2cde7f75901176e1870806e509293cf11be7a2712a6200d92dc2f11ead974

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMlrGlz\vpn.exe
MD5
cecbf60d82c3f39663e579f87d2e0fd2

SHA1
298f56d73ab7e15db752906188cb1f850b043304

SHA256
a4715456dfec2c306480d2b68754e7aae8d6a3e4daf4f61d80eb69fec14dfd03

SHA512
54723cd1241b60b9bb4dddc5621d901c04777f50bfc99624ef6b687d270b4854b2f2cde7f75901176e1870806e509293cf11be7a2712a6200d92dc2f11ead974

Download Submit
C:\Users\Admin\AppData\Local\Temp\fphuXjyc\B7gdH53AO.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fphuXjyc\B7gdH53AO.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KEM27.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KEM27.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V830K.tmp\vpn.tmp
MD5
fea7e5e6ab969d8058e923a059a265b4

SHA1
c0240efcb696484b0865b296db8f0b3962def7b1

SHA256
8c4890ce44631026b2a70418fcb731c8ba8a5d727454421e0d7652fe474cf6b3

SHA512
41960a3da4ac6f0a6195265ea9bdaf6bd2521a38d55f8603113ea6ec646a810364ab0808cba1ba1545ca841c67de6bcdcf38e605afbf6f4bd2e269e37e668c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V830K.tmp\vpn.tmp
MD5
fea7e5e6ab969d8058e923a059a265b4

SHA1
c0240efcb696484b0865b296db8f0b3962def7b1

SHA256
8c4890ce44631026b2a70418fcb731c8ba8a5d727454421e0d7652fe474cf6b3

SHA512
41960a3da4ac6f0a6195265ea9bdaf6bd2521a38d55f8603113ea6ec646a810364ab0808cba1ba1545ca841c67de6bcdcf38e605afbf6f4bd2e269e37e668c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvY3hDhG\z3zKE.exe
MD5
ba0d861ab2ce40a89cab369016f1b852

SHA1
12e3a03ba04f22395e07680a63eea0427a4ad90a

SHA256
5cec97f7759557b1a52dad26f650ed756508b5f4ccce6169941dd558bfa00584

SHA512
1445bc82928bebceef43aef66deae2484c4680b30937ff44b12ba330db179ecb361854d8da953f07f6fb5efd18fc1b3f25cfec53b3d85dc7bc4ac304efed92a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvY3hDhG\z3zKE.exe
MD5
ba0d861ab2ce40a89cab369016f1b852

SHA1
12e3a03ba04f22395e07680a63eea0427a4ad90a

SHA256
5cec97f7759557b1a52dad26f650ed756508b5f4ccce6169941dd558bfa00584

SHA512
1445bc82928bebceef43aef66deae2484c4680b30937ff44b12ba330db179ecb361854d8da953f07f6fb5efd18fc1b3f25cfec53b3d85dc7bc4ac304efed92a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5173B~1\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5173B~1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5173bf23-fc76-274c-9cf4-836926b05f4f}\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi
MD5
3176da4b324b3e0e846b6322e2c9374e

SHA1
c925445652161ba195abd50ebb20c775925d6486

SHA256
f7e9c177879c6923e58333b9d9f55642b7c3c4a7996e3b591858dfdc8d7c89bf

SHA512
573fa74202d801cd5ac020bf8cbe163ceb6ff0dc4908b8bd5d5b2844df129af642138a90c1d91f8240141c2148e8013798fb2a24fc43f9cfd07a7cb5ed6cf571

Download Submit
C:\Windows\Installer\MSIAC82.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Windows\Installer\MSIAD9C.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Windows\Installer\MSIAE87.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Windows\Installer\MSIAF63.tmp
MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
C:\Windows\Installer\MSIB06E.tmp
MD5
4c4cfbe97422d3ff76b3cd00a3295b41

SHA1
b2c7a4c2476eee35c6fe508447e5d2025602b5db

SHA256
63f2dcea91cb937cbd2dbddb127f094791a6e07e8c182af8d9f459042fc62b53

SHA512
bfc332a46972a9a7353b1788aade66b316bccf226df3a1496c3a1468168bf9045bd6112759096fb5645cb323b641a4a2c6c32a980a3edab26f41e288a4f08c65

Download Submit
C:\Windows\Installer\MSIB149.tmp
MD5
68dd02e76485cc29531b5bd8edbb1c51

SHA1
f20413b19d82362e15f340f36efd33cdace115cd

SHA256
f950436b53b8f0c94b239fff265d8edccb1897de12b5696eca0bf9a88fc4e7e7

SHA512
acb31b3a2a36b0cd4fbf67ffbe7441f7f227ca7530ba2fb98ff36a865f49b550e78ccd5db9fee33ca9a81465ae4421da7c96be12307a1b1b2f2f0a6237150737

Download Submit
C:\Windows\Installer\MSIB6D8.tmp
MD5
4c4cfbe97422d3ff76b3cd00a3295b41

SHA1
b2c7a4c2476eee35c6fe508447e5d2025602b5db

SHA256
63f2dcea91cb937cbd2dbddb127f094791a6e07e8c182af8d9f459042fc62b53

SHA512
bfc332a46972a9a7353b1788aade66b316bccf226df3a1496c3a1468168bf9045bd6112759096fb5645cb323b641a4a2c6c32a980a3edab26f41e288a4f08c65

Download Submit
C:\Windows\Installer\MSIB7A4.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
\??\c:\PROGRA~2\maskvpn\driver\win764\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\maskvpn\driver\win764\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Users\Admin\AppData\Local\Temp\MSI968A.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA31D.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA3EA.tmp
MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
\Users\Admin\AppData\Local\Temp\is-930ED.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-BDHFQ.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll
MD5
15aa573cee52cc4c11527dee98bea20c

SHA1
32fe5da57bbe66425c3d3c89a28e7125fb0097b3

SHA256
6889ea3a9d69f176351a389f92537d521abc851d1b71b47ab21c3b821cff8622

SHA512
4b357dc6eb8bdc152b63bc0a5f5bce6196cf65e02a71d32ee6568d477b359c2a4ab04892249cfdb8712eb5c8ab1a78e675db47f8b3150cf2c107dc61032cd085

Download Submit
\Windows\Installer\MSIAC82.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
\Windows\Installer\MSIAD9C.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
\Windows\Installer\MSIAE87.tmp
MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
\Windows\Installer\MSIAF63.tmp
MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
\Windows\Installer\MSIB06E.tmp
MD5
4c4cfbe97422d3ff76b3cd00a3295b41

SHA1
b2c7a4c2476eee35c6fe508447e5d2025602b5db

SHA256
63f2dcea91cb937cbd2dbddb127f094791a6e07e8c182af8d9f459042fc62b53

SHA512
bfc332a46972a9a7353b1788aade66b316bccf226df3a1496c3a1468168bf9045bd6112759096fb5645cb323b641a4a2c6c32a980a3edab26f41e288a4f08c65

Download Submit
\Windows\Installer\MSIB149.tmp
MD5
68dd02e76485cc29531b5bd8edbb1c51

SHA1
f20413b19d82362e15f340f36efd33cdace115cd

SHA256
f950436b53b8f0c94b239fff265d8edccb1897de12b5696eca0bf9a88fc4e7e7

SHA512
acb31b3a2a36b0cd4fbf67ffbe7441f7f227ca7530ba2fb98ff36a865f49b550e78ccd5db9fee33ca9a81465ae4421da7c96be12307a1b1b2f2f0a6237150737

Download Submit
\Windows\Installer\MSIB6D8.tmp
MD5
4c4cfbe97422d3ff76b3cd00a3295b41

SHA1
b2c7a4c2476eee35c6fe508447e5d2025602b5db

SHA256
63f2dcea91cb937cbd2dbddb127f094791a6e07e8c182af8d9f459042fc62b53

SHA512
bfc332a46972a9a7353b1788aade66b316bccf226df3a1496c3a1468168bf9045bd6112759096fb5645cb323b641a4a2c6c32a980a3edab26f41e288a4f08c65

Download Submit
memory/432-119-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2200-182-0x0000000000000000-mapping.dmp

Download
memory/2476-120-0x0000000000530000-0x00000000005DE000-memory.dmp

Filesize
696KB

Download
memory/2476-116-0x0000000000000000-mapping.dmp

Download
memory/2680-218-0x0000000000000000-mapping.dmp

Download
memory/3332-122-0x0000000000000000-mapping.dmp

Download
memory/3332-124-0x0000000000400000-0x00000000019C2000-memory.dmp

Filesize
21.8MB

Download
memory/3332-125-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3876-172-0x0000000000000000-mapping.dmp

Download
memory/4028-225-0x0000000000000000-mapping.dmp

Download
memory/4112-163-0x0000000000000000-mapping.dmp

Download
memory/4124-126-0x0000000000000000-mapping.dmp

Download
memory/4388-129-0x0000000000000000-mapping.dmp

Download
memory/4636-192-0x0000000000000000-mapping.dmp

Download
memory/4660-211-0x0000000000000000-mapping.dmp

Download
memory/4720-132-0x0000000000000000-mapping.dmp

Download
memory/4796-135-0x0000000000000000-mapping.dmp

Download
memory/4796-150-0x0000000004650000-0x0000000004698000-memory.dmp

Filesize
288KB

Download
memory/4796-151-0x0000000000400000-0x0000000002B5E000-memory.dmp

Filesize
39.4MB

Download
memory/4816-184-0x0000000000000000-mapping.dmp

Download
memory/4844-219-0x0000000000000000-mapping.dmp

Download
memory/4844-223-0x00000000017E0000-0x000000000192A000-memory.dmp

Filesize
1.3MB

Download
memory/4844-222-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/4844-221-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/4844-220-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/4852-139-0x0000000000000000-mapping.dmp

Download
memory/4852-145-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4916-161-0x0000000008C60000-0x0000000008C75000-memory.dmp

Filesize
84KB

Download
memory/4916-149-0x0000000006B30000-0x0000000006E10000-memory.dmp

Filesize
2.9MB

Download
memory/4916-158-0x0000000008B50000-0x0000000008B5F000-memory.dmp

Filesize
60KB

Download
memory/4916-143-0x0000000000000000-mapping.dmp

Download
memory/4916-208-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4916-146-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4916-207-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/4924-187-0x0000000000000000-mapping.dmp

Download
memory/5016-196-0x0000000000000000-mapping.dmp

Download
memory/5116-224-0x0000000000000000-mapping.dmp

Download
memory/5116-226-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/5116-227-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/5116-228-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5116-229-0x00000000017E0000-0x000000000192A000-memory.dmp

Filesize
1.3MB

Download