redline | c8aa42e07176d24c933d1e2bc4f0052b2973f98fc6e395d90f09e07dbf7c0585

Analysis

max time kernel
145s
max time network
198s
platform
windows7_x64
resource
win7-en-20210920
submitted
25-10-2021 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e774dd9c86af55f5f4f64ce0e6096341.exe
Size

6.3MB
MD5

e774dd9c86af55f5f4f64ce0e6096341
SHA1

d645b5c74e4c2659b1db2efe45cb14eca554bddc
SHA256

c8aa42e07176d24c933d1e2bc4f0052b2973f98fc6e395d90f09e07dbf7c0585
SHA512

ad0f726ef0190f231b46b174ced45e1f8b7646b0abe6cda24d883d9584a7581d9fc67348718895b3186df763840d993e2fab1e76e2c853e7a9f109ad0508e3c6

Score

10^/10

redline vidar 915 v4 discovery infostealer spyware stealer suricata upx

Malware Config

Extracted

Family

redline

Botnet

3.17.66.208:50383

Extracted

Family

vidar

Version

41.5

Botnet

915

https://mas.to/@xeroxxx

Attributes

profile_id
915

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\FastPc\FastPc\Fast_.exe	family_redline
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe	family_redline
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\ApiTool.dll	acprotect

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1624-78-0x0000000000960000-0x0000000000A36000-memory.dmp	family_vidar
behavioral1/memory/1624-79-0x0000000000400000-0x00000000008E3000-memory.dmp	family_vidar

Blocklisted process makes network request 3 IoCs

Processes:

cmd.exe

flow pid process

54 760 cmd.exe
56 760 cmd.exe
58 760 cmd.exe
Downloads MZ/PE file

flow	pid	process
54	760	cmd.exe
56	760	cmd.exe
58	760	cmd.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET8EF7.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET8EF7.tmp	DrvInst.exe

Executes dropped EXE 11 IoCs

Processes:

Faster.exeFast_.exeFast.exe13.exevpn.exevpn.tmptapinstall.exetapinstall.exemask_svc.exemask_svc.exemask_svc.exe

pid	process
1884	Faster.exe
1728	Fast_.exe
1624	Fast.exe
520	13.exe
1880	vpn.exe
568	vpn.tmp
1556	tapinstall.exe
1800	tapinstall.exe
2416	mask_svc.exe
2536	mask_svc.exe
2636	mask_svc.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\ApiTool.dll	upx

Loads dropped DLL 31 IoCs

Processes:

e774dd9c86af55f5f4f64ce0e6096341.exevpn.exevpn.tmpWerFault.execmd.execmd.exemask_svc.exe

pid	process
1200	e774dd9c86af55f5f4f64ce0e6096341.exe
1200	e774dd9c86af55f5f4f64ce0e6096341.exe
1200	e774dd9c86af55f5f4f64ce0e6096341.exe
1200	e774dd9c86af55f5f4f64ce0e6096341.exe
1200	e774dd9c86af55f5f4f64ce0e6096341.exe
1880	vpn.exe
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
968	cmd.exe
968	cmd.exe
956	cmd.exe
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
2636	mask_svc.exe
2636	mask_svc.exe
2636	mask_svc.exe
568	vpn.tmp
568	vpn.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 27 IoCs

Processes:

DrvInst.exetapinstall.exemask_svc.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\SET8F8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	mask_svc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8408FE5CA4467EE4DA84A76EF238FE3	mask_svc.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\SET8F8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	mask_svc.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\SET8F7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	mask_svc.exe
File created	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\SET8F7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\SET8E6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	mask_svc.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{55903efa-2e77-0592-2d5c-aa3ff064b146}\SET8E6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8408FE5CA4467EE4DA84A76EF238FE3	mask_svc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

2416 mask_svc.exe
2536 mask_svc.exe
2636 mask_svc.exe

pid	process
2416	mask_svc.exe
2536	mask_svc.exe
2636	mask_svc.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpe774dd9c86af55f5f4f64ce0e6096341.execmd.exe

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\is-JHIP0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-QQFA3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-U2AI4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-2J5PE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VFBRV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-60AT7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-P7FOG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-6BALG.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-0L5M0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SVSSS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-BNG9A.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MTU9V.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-28VIN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-CVK45.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-VN4CM.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\Fast_.exe	e774dd9c86af55f5f4f64ce0e6096341.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-FHU8H.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-M9UKR.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-K0SHE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-7EQ0Q.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-S8FPA.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-15UJV.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-69AGV.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\Faster.exe	e774dd9c86af55f5f4f64ce0e6096341.exe
File created	C:\Program Files (x86)\MaskVPN\is-8CETO.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TLKTL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-I8MK4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MUHGV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9GCJ3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CP7HF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JTNBS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-DCTH6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3FJR1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-NNOO5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-1BC3J.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\13.exe	e774dd9c86af55f5f4f64ce0e6096341.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QAO42.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\Fast.exe	e774dd9c86af55f5f4f64ce0e6096341.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3R86B.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-IQ62J.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-CCQE2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-P4GPJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-7A39U.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-ARKNK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-53Q22.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-HTBQ0.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\	cmd.exe

Drops file in Windows directory 14 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.execmd.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File created	C:\Windows\Tasks\13.job	cmd.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1648 1624 WerFault.exe Fast.exe

pid	pid_target	process	target process
1648	1624	WerFault.exe	Fast.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 5 IoCs

Processes:

vpn.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tapinstall.execmd.exevpn.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

13.exeFaster.exeFast_.exeWerFault.exevpn.tmpmask_svc.exemask_svc.exemask_svc.execmd.exe

pid	process
520	13.exe
1884	Faster.exe
1884	Faster.exe
1884	Faster.exe
1728	Fast_.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
2416	mask_svc.exe
2536	mask_svc.exe
2636	mask_svc.exe
2636	mask_svc.exe
2636	mask_svc.exe
568	vpn.tmp
568	vpn.tmp
760	cmd.exe
760	cmd.exe
2636	mask_svc.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cmd.exe

pid process

760 cmd.exe
760 cmd.exe

pid	process
760	cmd.exe
760	cmd.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

Faster.exeFast_.exevpn.tmpWerFault.exetapinstall.exeDrvInst.exevssvc.exeDrvInst.exeDrvInst.exe

description	pid	process
Token: SeDebugPrivilege	1884	Faster.exe
Token: SeDebugPrivilege	1728	Fast_.exe
Token: SeDebugPrivilege	568	vpn.tmp
Token: SeDebugPrivilege	1648	WerFault.exe
Token: SeDebugPrivilege	568	vpn.tmp
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeBackupPrivilege	1576	vssvc.exe
Token: SeRestorePrivilege	1576	vssvc.exe
Token: SeAuditPrivilege	1576	vssvc.exe
Token: SeBackupPrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1480	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1440	DrvInst.exe
Token: SeLoadDriverPrivilege	1440	DrvInst.exe
Token: SeLoadDriverPrivilege	1440	DrvInst.exe
Token: SeLoadDriverPrivilege	1440	DrvInst.exe
Token: SeRestorePrivilege	1800	tapinstall.exe
Token: SeLoadDriverPrivilege	1800	tapinstall.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeRestorePrivilege	2240	DrvInst.exe
Token: SeLoadDriverPrivilege	2240	DrvInst.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

vpn.tmp

pid	process
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp
568	vpn.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e774dd9c86af55f5f4f64ce0e6096341.exe13.exeFaster.exevpn.exe

description	pid	process	target process
PID 1200 wrote to memory of 1884	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Faster.exe
PID 1200 wrote to memory of 1884	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Faster.exe
PID 1200 wrote to memory of 1884	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Faster.exe
PID 1200 wrote to memory of 1884	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Faster.exe
PID 1200 wrote to memory of 1728	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast_.exe
PID 1200 wrote to memory of 1728	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast_.exe
PID 1200 wrote to memory of 1728	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast_.exe
PID 1200 wrote to memory of 1728	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast_.exe
PID 1200 wrote to memory of 1624	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast.exe
PID 1200 wrote to memory of 1624	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast.exe
PID 1200 wrote to memory of 1624	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast.exe
PID 1200 wrote to memory of 1624	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	Fast.exe
PID 1200 wrote to memory of 520	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	13.exe
PID 1200 wrote to memory of 520	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	13.exe
PID 1200 wrote to memory of 520	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	13.exe
PID 1200 wrote to memory of 520	1200	e774dd9c86af55f5f4f64ce0e6096341.exe	13.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 520 wrote to memory of 760	520	13.exe	cmd.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1884 wrote to memory of 1880	1884	Faster.exe	vpn.exe
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp
PID 1880 wrote to memory of 568	1880	vpn.exe	vpn.tmp

C:\Users\Admin\AppData\Local\Temp\e774dd9c86af55f5f4f64ce0e6096341.exe
"C:\Users\Admin\AppData\Local\Temp\e774dd9c86af55f5f4f64ce0e6096341.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1200

C:\Program Files (x86)\FastPc\FastPc\Faster.exe
"C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=720
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\is-JEGFU.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JEGFU.tmp\vpn.tmp" /SL5="$30194,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=720
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
5⤵
- Loads dropped DLL
PID:968

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
6⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
5⤵
- Loads dropped DLL
PID:956

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
"C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Program Files (x86)\FastPc\FastPc\Fast.exe
"C:\Program Files (x86)\FastPc\FastPc\Fast.exe"
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 868
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Program Files (x86)\FastPc\FastPc\13.exe
"C:\Program Files (x86)\FastPc\FastPc\13.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2952

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6f89a225-9506-1413-fb76-735c55859f16}\oemvista.inf" "9" "6d14a44ff" "00000000000002BC" "WinSta0\Default" "000000000000057C" "208" "c:\program files (x86)\maskvpn\driver\win764"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000005D0" "00000000000005C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "00000000000002BC" "00000000000005C8" "00000000000005DC"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FastPc\FastPc\13.exe
MD5
9cd16c67cb53894f94a5d732ecd3f009

SHA1
126d45dbe070ceb6fe1eb8a8cef99a2349a59f5e

SHA256
95f799d8cf5da3d15fc6cc66807f8a0d5bcdf5755ae933513f24d37347845631

SHA512
bf50a855da003bcfa1e8c6fffe0492adbf86e73ed85eef8151da2cc6f39600531f902d2729637328c5b3d37690c021f336d64c768574c68b3b2856c6c47148e0

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
MD5
bb7db2a053187c745dbafd790698bb40

SHA1
59c2abc023c9e7d6ffe37253cd6b3b041be694af

SHA256
f3f66f68f10dd0291956577ad36fc5a3a1fb25114128fa61206b00e274315bf3

SHA512
da6edcb05483571faecd00fd4aaab48a1e82a5bd91af2783044dea142f933dd0a929cd8c9f4e6f3e0dfcec6f47fa17db0ce42d0876c6b79525d412efe61f6c0c

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
MD5
bb7db2a053187c745dbafd790698bb40

SHA1
59c2abc023c9e7d6ffe37253cd6b3b041be694af

SHA256
f3f66f68f10dd0291956577ad36fc5a3a1fb25114128fa61206b00e274315bf3

SHA512
da6edcb05483571faecd00fd4aaab48a1e82a5bd91af2783044dea142f933dd0a929cd8c9f4e6f3e0dfcec6f47fa17db0ce42d0876c6b79525d412efe61f6c0c

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Faster.exe
MD5
f711d75ce1395b0508eb9e070c049ddc

SHA1
84d0d9ac0cbd18ee40bf8ea5677924199cc86682

SHA256
e1df59a397c7669a857c4e796ba9461522ca40147654e7e66f0996e12b45158c

SHA512
c83056b9484d2a066be74e2f1e8ecca8a49d165fb54736eb69bfde279023af20a506514ced2160d12ed9875d441313d0fadc710beebb3c739c69286e85deaa96

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Faster.exe
MD5
f711d75ce1395b0508eb9e070c049ddc

SHA1
84d0d9ac0cbd18ee40bf8ea5677924199cc86682

SHA256
e1df59a397c7669a857c4e796ba9461522ca40147654e7e66f0996e12b45158c

SHA512
c83056b9484d2a066be74e2f1e8ecca8a49d165fb54736eb69bfde279023af20a506514ced2160d12ed9875d441313d0fadc710beebb3c739c69286e85deaa96

Download Submit
C:\Program Files (x86)\MaskVPN\config.data
MD5
979c3f765105281a5675efc5d5b0fa26

SHA1
7198f3a890f0f344a9d42afe72a5343e1d78553d

SHA256
2e3b749c6db360c75982daf40409e795b5af95a75012cf6794971e52d99432b8

SHA512
ebeec485be584f57aa719514be81843f6d5b3235532ce3e4c9c53544dbc21940da0512d05f9b6002ec5603c53373e0d90cb35d91f2838a7131feec1a3cb70a1f

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\install.bat
MD5
3a05ce392d84463b43858e26c48f9cbf

SHA1
78f624e2c81c3d745a45477d61749b8452c129f1

SHA256
5b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b

SHA512
8a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
56d2c212567d1d4abeb3dc85f283255b

SHA1
b58c69ef76c3469463bf673f955ee9a068e3b96f

SHA256
b039161a8728ecc86199e29f29ad9cce1df98fa76a1911ca222105955eb03922

SHA512
6ce543f771b094ef220ceaf18afe40436b50d475ebe6fde7bad16eeb1c570ef3a1fd2744c8f99095b32a90a23dd2c29768c4af03ea09aeecf3282869fac112b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
46f12ac96b344d8a3173cd5b8518ffa7

SHA1
d01354a382449574345ae05a16543ec2af80fac2

SHA256
01a18f4e432db807fee4f0613b409c6f5c5c0108cbea9372b44f6fbfd279f64a

SHA512
ce3e15832c67966a5fcf48c3130cd8d5d236b9afbeae63abf3566e5fcabf62a9a7b3276b246d0d349ae43644822460ae1423a904bbec4fafc98328b65f7315d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
MD5
afb61c2cb8889a46090a579510d9286d

SHA1
733516e971c0285ba33de4f4b1725e5e48840cf3

SHA256
f275e375a7b74ca372860250f80bd03d8332cafe43815e270194c65776b0ffbb

SHA512
2dd029ae53cc159235b5e28bb787f444cf72c836300185d89d3d200e84eb58c0edbe9935c61fc520c27efbc61b9c00288f4daf52959eef1ec8277f7659c2cfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JEGFU.tmp\vpn.tmp
MD5
c4cadbafe35022d27c6d9cb013e58389

SHA1
bf26cb7dc2b017f89128c64900122fd3a29434d7

SHA256
16aef354b954255ad1bb0e78fae24d1e53764f07ab832f1c6098c7f076b9e173

SHA512
b57ff2f5d653581407d68623f63b0f3f787dad64bce1130bdc910ae88d331fa66922b41fc0e374987a576ff4d01899e33b353186bb613a28bf9bf24d27d9a5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JEGFU.tmp\vpn.tmp
MD5
c4cadbafe35022d27c6d9cb013e58389

SHA1
bf26cb7dc2b017f89128c64900122fd3a29434d7

SHA256
16aef354b954255ad1bb0e78fae24d1e53764f07ab832f1c6098c7f076b9e173

SHA512
b57ff2f5d653581407d68623f63b0f3f787dad64bce1130bdc910ae88d331fa66922b41fc0e374987a576ff4d01899e33b353186bb613a28bf9bf24d27d9a5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpn.exe
MD5
92aac76a8dfb9e244811f7871ed0f66e

SHA1
5b0eb11caba29030e3f68eaa36276739f9d876c4

SHA256
2acbc4c0692483c47afbd1919b764870106992961f1e0f333bcab3a9513a973c

SHA512
400b13c2884a0873a0da188e51836e6b2b9c2ea846d7c0087aae1a85078f8c1303f6f6de85dad0b0c9e97a338c9622f17814724eb4d11cc9ffeaf8acd1642b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpn.exe
MD5
92aac76a8dfb9e244811f7871ed0f66e

SHA1
5b0eb11caba29030e3f68eaa36276739f9d876c4

SHA256
2acbc4c0692483c47afbd1919b764870106992961f1e0f333bcab3a9513a973c

SHA512
400b13c2884a0873a0da188e51836e6b2b9c2ea846d7c0087aae1a85078f8c1303f6f6de85dad0b0c9e97a338c9622f17814724eb4d11cc9ffeaf8acd1642b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6F89A~1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6f89a225-9506-1413-fb76-735c55859f16}\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6f89a225-9506-1413-fb76-735c55859f16}\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\INF\oem2.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\OEMVIS~1.INF\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF
MD5
7ebbaa8c3212f4de7d702823e30964e8

SHA1
0ec9b949e7d4674edb0f1075b20430ffdeba036e

SHA256
175b2ee3e88150095ddf3db1fa9840e668e72b38a091caee095411b000caa3e2

SHA512
2a95bf2f09dbe7339fba1fcc6af1cd142393f433642f872e549fa44f563b79a89ca707ee5448ac3af86ef4ec75899da4ba707d733e2fc1c3c62b1075f22f9d30

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1
MD5
e7f4106452d796d4777540dd9b440a64

SHA1
cd56fe968c7cef84821d992f090f09273ae5de33

SHA256
a9ee9da35890f445b4aba0346413356613e132457ffd7cd9fa33fae7f6474689

SHA512
c286a5e7aad5839c2a7de3f2cd62fce1d4a5a774e136ac96e6a6ff1f7f0ee72fee0e217189f1b01a1346445a2d0b6ae5ebd2ac197987bf14a1cedb6c2b89de81

Download Submit
\??\c:\PROGRA~2\maskvpn\driver\win764\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\maskvpn\driver\win764\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Program Files (x86)\FastPc\FastPc\13.exe
MD5
9cd16c67cb53894f94a5d732ecd3f009

SHA1
126d45dbe070ceb6fe1eb8a8cef99a2349a59f5e

SHA256
95f799d8cf5da3d15fc6cc66807f8a0d5bcdf5755ae933513f24d37347845631

SHA512
bf50a855da003bcfa1e8c6fffe0492adbf86e73ed85eef8151da2cc6f39600531f902d2729637328c5b3d37690c021f336d64c768574c68b3b2856c6c47148e0

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast.exe
MD5
37f9ed9d61e6463796aeeb8b72fe3b37

SHA1
0a70b57a1a674a881ca23405532848e31acfe770

SHA256
a391af39b144458767e805699ef1964bf65f1e5ca82ef6980796c8af4e86e25c

SHA512
979565d457ad31a5ad2bda417aa8dace2532083ada0ed1391a017b9a67701c819e9f3dc898a8dba429006e83138eb14ca43b6cbd3a891f50dbaafacb036b53e1

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast_.exe
MD5
bb7db2a053187c745dbafd790698bb40

SHA1
59c2abc023c9e7d6ffe37253cd6b3b041be694af

SHA256
f3f66f68f10dd0291956577ad36fc5a3a1fb25114128fa61206b00e274315bf3

SHA512
da6edcb05483571faecd00fd4aaab48a1e82a5bd91af2783044dea142f933dd0a929cd8c9f4e6f3e0dfcec6f47fa17db0ce42d0876c6b79525d412efe61f6c0c

Download Submit
\Program Files (x86)\FastPc\FastPc\Faster.exe
MD5
f711d75ce1395b0508eb9e070c049ddc

SHA1
84d0d9ac0cbd18ee40bf8ea5677924199cc86682

SHA256
e1df59a397c7669a857c4e796ba9461522ca40147654e7e66f0996e12b45158c

SHA512
c83056b9484d2a066be74e2f1e8ecca8a49d165fb54736eb69bfde279023af20a506514ced2160d12ed9875d441313d0fadc710beebb3c739c69286e85deaa96

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Program Files (x86)\MaskVPN\mask_svc.exe
MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-DBEHC.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-JEGFU.tmp\vpn.tmp
MD5
c4cadbafe35022d27c6d9cb013e58389

SHA1
bf26cb7dc2b017f89128c64900122fd3a29434d7

SHA256
16aef354b954255ad1bb0e78fae24d1e53764f07ab832f1c6098c7f076b9e173

SHA512
b57ff2f5d653581407d68623f63b0f3f787dad64bce1130bdc910ae88d331fa66922b41fc0e374987a576ff4d01899e33b353186bb613a28bf9bf24d27d9a5c4

Download Submit
memory/520-73-0x0000000000000000-mapping.dmp

Download
memory/520-80-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/568-120-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-124-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-126-0x0000000007590000-0x00000000081DA000-memory.dmp

Filesize
12.3MB

Download
memory/568-119-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-109-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/568-92-0x0000000000000000-mapping.dmp

Download
memory/568-121-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-122-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-100-0x0000000006F70000-0x0000000007250000-memory.dmp

Filesize
2.9MB

Download
memory/568-123-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-118-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-117-0x0000000007E50000-0x0000000007E54000-memory.dmp

Filesize
16KB

Download
memory/568-110-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/760-76-0x0000000000000000-mapping.dmp

Download
memory/760-200-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/760-198-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/760-82-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/956-135-0x0000000000000000-mapping.dmp

Download
memory/968-128-0x0000000000000000-mapping.dmp

Download
memory/1200-53-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1556-133-0x0000000000000000-mapping.dmp

Download
memory/1624-78-0x0000000000960000-0x0000000000A36000-memory.dmp

Filesize
856KB

Download
memory/1624-79-0x0000000000400000-0x00000000008E3000-memory.dmp

Filesize
4.9MB

Download
memory/1624-66-0x00000000002C9000-0x0000000000345000-memory.dmp

Filesize
496KB

Download
memory/1624-64-0x0000000000000000-mapping.dmp

Download
memory/1648-103-0x0000000000000000-mapping.dmp

Download
memory/1648-125-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1728-84-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download
memory/1728-67-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1800-138-0x0000000000000000-mapping.dmp

Download
memory/1880-85-0x0000000000000000-mapping.dmp

Download
memory/1880-108-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1884-55-0x0000000000000000-mapping.dmp

Download
memory/1884-81-0x000000001A560000-0x000000001A562000-memory.dmp

Filesize
8KB

Download
memory/1884-83-0x000000001A566000-0x000000001A585000-memory.dmp

Filesize
124KB

Download
memory/1884-70-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2416-168-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2416-161-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2416-165-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2416-164-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2416-157-0x0000000000000000-mapping.dmp

Download
memory/2416-160-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2416-163-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2416-166-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2536-180-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2536-172-0x0000000000000000-mapping.dmp

Download
memory/2636-184-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2636-187-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2636-192-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2636-193-0x0000000033C20000-0x0000000033DE6000-memory.dmp

Filesize
1.8MB

Download
memory/2636-194-0x0000000033F30000-0x0000000034088000-memory.dmp

Filesize
1.3MB

Download
memory/2636-196-0x0000000033420000-0x0000000033478000-memory.dmp

Filesize
352KB

Download
memory/2636-189-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2636-188-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2952-201-0x0000000000000000-mapping.dmp

Download
memory/2952-202-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/2952-203-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download