redline | f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
28-10-2021 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
Size

583KB
MD5

c20afa6d829ac6e72b1444ffad4d13ae
SHA1

5c884c26a76630a76e1efa9c4695959bc8c263ba
SHA256

f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0
SHA512

c3ba72388bfe7c590b67b35ac21122f5ee2e5a371738c34eb74c41ff11eff1b5bb4ab0ef4cd83dd3c689ff904b0be00bdc5186d2e2f02acd74ac5ca5147c757c

Score

10^/10

redline vidar 1045 fast discovery infostealer spyware stealer suricata

Malware Config

Extracted

Family

redline

Botnet

Fast

18.190.26.16:61391

Extracted

Family

vidar

Version

41.6

Botnet

1045

https://mas.to/@lilocc

Attributes

profile_id
1045

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\FastPc\FastPc\Fast_.exe	family_redline
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe	family_redline
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1724-127-0x0000000004080000-0x0000000004180000-memory.dmp	family_vidar
behavioral1/memory/1724-128-0x0000000000400000-0x000000000056F000-memory.dmp	family_vidar

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exe

flow	pid	process
47	576	MsiExec.exe
49	576	MsiExec.exe
50	576	MsiExec.exe
52	576	MsiExec.exe
54	576	MsiExec.exe
56	576	MsiExec.exe
58	576	MsiExec.exe
59	576	MsiExec.exe
60	576	MsiExec.exe
61	576	MsiExec.exe
62	576	MsiExec.exe
63	576	MsiExec.exe
64	576	MsiExec.exe
65	576	MsiExec.exe
66	576	MsiExec.exe
67	576	MsiExec.exe
68	576	MsiExec.exe
69	576	MsiExec.exe
70	576	MsiExec.exe
71	576	MsiExec.exe
72	576	MsiExec.exe
73	576	MsiExec.exe
74	576	MsiExec.exe
75	576	MsiExec.exe
76	576	MsiExec.exe
77	576	MsiExec.exe
78	576	MsiExec.exe
79	576	MsiExec.exe
80	576	MsiExec.exe
81	576	MsiExec.exe
82	576	MsiExec.exe
83	576	MsiExec.exe
84	576	MsiExec.exe
85	576	MsiExec.exe
86	576	MsiExec.exe
87	576	MsiExec.exe
88	576	MsiExec.exe
89	576	MsiExec.exe
90	576	MsiExec.exe
91	576	MsiExec.exe
92	576	MsiExec.exe
93	576	MsiExec.exe
94	576	MsiExec.exe
95	576	MsiExec.exe
96	576	MsiExec.exe
97	576	MsiExec.exe
98	576	MsiExec.exe
99	576	MsiExec.exe
100	576	MsiExec.exe
101	576	MsiExec.exe
102	576	MsiExec.exe
103	576	MsiExec.exe
104	576	MsiExec.exe
105	576	MsiExec.exe
106	576	MsiExec.exe
107	576	MsiExec.exe
108	576	MsiExec.exe
109	576	MsiExec.exe
110	576	MsiExec.exe
111	576	MsiExec.exe
112	576	MsiExec.exe
113	576	MsiExec.exe
114	576	MsiExec.exe
115	576	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET168D.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET168D.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Executes dropped EXE 15 IoCs

Processes:

Faster.exeFastPCV.exeFast_.exeFastPCV.tmpSetup.exeinstaller.exevpn.exevpn.tmptapinstall.exetapinstall.exemask_svc.exemask_svc.exemask_svc.exenote866.exeMaskVPNUpdate.exe

pid	process
1120	Faster.exe
1472	FastPCV.exe
1320	Fast_.exe
1712	FastPCV.tmp
1724	Setup.exe
1556	installer.exe
2812	vpn.exe
2836	vpn.tmp
2980	tapinstall.exe
3028	tapinstall.exe
2524	mask_svc.exe
1172	mask_svc.exe
2584	mask_svc.exe
2660	note866.exe
1780	MaskVPNUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exeFastPCV.exeFastPCV.tmpSetup.exeinstaller.exeMsiExec.exeMsiExec.exeMsiExec.exevpn.exevpn.tmpcmd.execmd.exemask_svc.exeMaskVPNUpdate.exe

pid	process
2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
1472	FastPCV.exe
1712	FastPCV.tmp
1712	FastPCV.tmp
1712	FastPCV.tmp
1712	FastPCV.tmp
1724	Setup.exe
1724	Setup.exe
1724	Setup.exe
1556	installer.exe
1556	installer.exe
1556	installer.exe
1472	MsiExec.exe
1472	MsiExec.exe
1724	Setup.exe
1724	Setup.exe
1724	Setup.exe
1724	Setup.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
1556	installer.exe
576	MsiExec.exe
576	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
576	MsiExec.exe
2812	vpn.exe
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2952	cmd.exe
2952	cmd.exe
3000	cmd.exe
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2584	mask_svc.exe
2584	mask_svc.exe
2584	mask_svc.exe
2836	vpn.tmp
2836	vpn.tmp
2584	mask_svc.exe
1780	MaskVPNUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io
4 ipinfo.io

flow	ioc
2	ipinfo.io
4	ipinfo.io

Drops file in System32 directory 21 IoCs

Processes:

DrvInst.exeDrvInst.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\SETBB74.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\SETBB74.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\SETBB73.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\SETBB75.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\SETBB75.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ce93bc9-cb97-1799-cb23-18395facf90d}\SETBB73.tmp	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

2524 mask_svc.exe
1172 mask_svc.exe
2584 mask_svc.exe

pid	process
2524	mask_svc.exe
1172	mask_svc.exe
2584	mask_svc.exe

Drops file in Program Files directory 64 IoCs

Processes:

note866.exevpn.tmpmsiexec.exeMaskVPNUpdate.exef30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe

description	ioc	process
File created	C:\Program Files (x86)\FastPc\FastPc\d	note866.exe
File created	C:\Program Files (x86)\MaskVPN\is-PGV49.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-AVLCL.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-REG1Q.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-R2555.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-AO5NP.tmp	vpn.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\MaskVPN\is-DH9IN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-S5ILE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-V5LP5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-S5OSF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-CDBU2.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\MaskVPN\is-VABII.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-IA8Q7.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-6C4F7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-7M8S8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-A5OM2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-6SS6Q.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T3K6D.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\d	note866.exe
File created	C:\Program Files (x86)\MaskVPN\is-55G25.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CIJTH.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-12IEN.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2PFJR.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-FNTE0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2K5G5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-9PKPT.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-6JPQD.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UEKIV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CAP63.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-F9A8V.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-L7L6L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8C8DV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-J2J7B.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-ATGRP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-AUTUP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-NPINU.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1IIIJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-H0L7K.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SP37D.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-SIBR2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-357GA.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\FastPc\FastPc\Faster.exe	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GFTTI.tmp	vpn.tmp

Drops file in Windows directory 43 IoCs

Processes:

msiexec.exetapinstall.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3F59.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI494D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E24.tmp	msiexec.exe
File created	C:\Windows\Installer\f763342.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI492D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CE9.tmp	msiexec.exe
File created	C:\Windows\Installer\f763340.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4278.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763342.ipi	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\Installer\f763344.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f763340.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E73.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3AD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DE2.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3813.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI414E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI503A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2428 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1144 taskkill.exe
2108 taskkill.exe
2364 taskkill.exe

pid	process
2428	timeout.exe

pid	process
1144	taskkill.exe
2108	taskkill.exe
2364	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exeDrvInst.exeDrvInst.exemsiexec.exeDrvInst.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	mask_svc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mask_svc.exe

Modifies registry class 29 IoCs

Processes:

msiexec.exevpn.tmp

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exetapinstall.exeSetup.exevpn.tmpnote866.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	note866.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	note866.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2572 PING.EXE
2812 PING.EXE

pid	process
2572	PING.EXE
2812	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Faster.exeMsiExec.exeSetup.exeFast_.exeMsiExec.exemsiexec.exevpn.tmpmask_svc.exemask_svc.exemask_svc.exeMaskVPNUpdate.exe

pid	process
1120	Faster.exe
1120	Faster.exe
1120	Faster.exe
1472	MsiExec.exe
1724	Setup.exe
1724	Setup.exe
1724	Setup.exe
1320	Fast_.exe
1724	Setup.exe
576	MsiExec.exe
576	MsiExec.exe
676	msiexec.exe
676	msiexec.exe
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2524	mask_svc.exe
1172	mask_svc.exe
2584	mask_svc.exe
2584	mask_svc.exe
2584	mask_svc.exe
2836	vpn.tmp
2836	vpn.tmp
2584	mask_svc.exe
2584	mask_svc.exe
1780	MaskVPNUpdate.exe
1780	MaskVPNUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeFaster.exemsiexec.exeinstaller.exe

description	pid	process
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1120	Faster.exe
Token: SeRestorePrivilege	676	msiexec.exe
Token: SeTakeOwnershipPrivilege	676	msiexec.exe
Token: SeSecurityPrivilege	676	msiexec.exe
Token: SeCreateTokenPrivilege	1556	installer.exe
Token: SeAssignPrimaryTokenPrivilege	1556	installer.exe
Token: SeLockMemoryPrivilege	1556	installer.exe
Token: SeIncreaseQuotaPrivilege	1556	installer.exe
Token: SeMachineAccountPrivilege	1556	installer.exe
Token: SeTcbPrivilege	1556	installer.exe
Token: SeSecurityPrivilege	1556	installer.exe
Token: SeTakeOwnershipPrivilege	1556	installer.exe
Token: SeLoadDriverPrivilege	1556	installer.exe
Token: SeSystemProfilePrivilege	1556	installer.exe
Token: SeSystemtimePrivilege	1556	installer.exe
Token: SeProfSingleProcessPrivilege	1556	installer.exe
Token: SeIncBasePriorityPrivilege	1556	installer.exe
Token: SeCreatePagefilePrivilege	1556	installer.exe
Token: SeCreatePermanentPrivilege	1556	installer.exe
Token: SeBackupPrivilege	1556	installer.exe
Token: SeRestorePrivilege	1556	installer.exe
Token: SeShutdownPrivilege	1556	installer.exe
Token: SeDebugPrivilege	1556	installer.exe
Token: SeAuditPrivilege	1556	installer.exe
Token: SeSystemEnvironmentPrivilege	1556	installer.exe
Token: SeChangeNotifyPrivilege	1556	installer.exe
Token: SeRemoteShutdownPrivilege	1556	installer.exe
Token: SeUndockPrivilege	1556	installer.exe
Token: SeSyncAgentPrivilege	1556	installer.exe
Token: SeEnableDelegationPrivilege	1556	installer.exe
Token: SeManageVolumePrivilege	1556	installer.exe
Token: SeImpersonatePrivilege	1556	installer.exe
Token: SeCreateGlobalPrivilege	1556	installer.exe
Token: SeCreateTokenPrivilege	1556	installer.exe
Token: SeAssignPrimaryTokenPrivilege	1556	installer.exe
Token: SeLockMemoryPrivilege	1556	installer.exe
Token: SeIncreaseQuotaPrivilege	1556	installer.exe
Token: SeMachineAccountPrivilege	1556	installer.exe
Token: SeTcbPrivilege	1556	installer.exe
Token: SeSecurityPrivilege	1556	installer.exe
Token: SeTakeOwnershipPrivilege	1556	installer.exe
Token: SeLoadDriverPrivilege	1556	installer.exe
Token: SeSystemProfilePrivilege	1556	installer.exe
Token: SeSystemtimePrivilege	1556	installer.exe
Token: SeProfSingleProcessPrivilege	1556	installer.exe
Token: SeIncBasePriorityPrivilege	1556	installer.exe
Token: SeCreatePagefilePrivilege	1556	installer.exe
Token: SeCreatePermanentPrivilege	1556	installer.exe
Token: SeBackupPrivilege	1556	installer.exe
Token: SeRestorePrivilege	1556	installer.exe
Token: SeShutdownPrivilege	1556	installer.exe
Token: SeDebugPrivilege	1556	installer.exe
Token: SeAuditPrivilege	1556	installer.exe
Token: SeSystemEnvironmentPrivilege	1556	installer.exe
Token: SeChangeNotifyPrivilege	1556	installer.exe
Token: SeRemoteShutdownPrivilege	1556	installer.exe
Token: SeUndockPrivilege	1556	installer.exe
Token: SeSyncAgentPrivilege	1556	installer.exe
Token: SeEnableDelegationPrivilege	1556	installer.exe
Token: SeManageVolumePrivilege	1556	installer.exe
Token: SeImpersonatePrivilege	1556	installer.exe
Token: SeCreateGlobalPrivilege	1556	installer.exe
Token: SeCreateTokenPrivilege	1556	installer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

FastPCV.tmpinstaller.exevpn.tmp

pid	process
1712	FastPCV.tmp
1556	installer.exe
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp
2836	vpn.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MaskVPNUpdate.exe

pid process

1780 MaskVPNUpdate.exe

pid	process
1780	MaskVPNUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exeFastPCV.execmd.exeFastPCV.tmpFaster.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 2040 wrote to memory of 1120	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Faster.exe
PID 2040 wrote to memory of 1120	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Faster.exe
PID 2040 wrote to memory of 1120	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Faster.exe
PID 2040 wrote to memory of 1120	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Faster.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1472	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	FastPCV.exe
PID 2040 wrote to memory of 1320	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Fast_.exe
PID 2040 wrote to memory of 1320	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Fast_.exe
PID 2040 wrote to memory of 1320	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Fast_.exe
PID 2040 wrote to memory of 1320	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	Fast_.exe
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 1472 wrote to memory of 1712	1472	FastPCV.exe	FastPCV.tmp
PID 2040 wrote to memory of 1820	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	cmd.exe
PID 2040 wrote to memory of 1820	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	cmd.exe
PID 2040 wrote to memory of 1820	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	cmd.exe
PID 2040 wrote to memory of 1820	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	cmd.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 2040 wrote to memory of 284	2040	f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe	gpupdate.exe
PID 1820 wrote to memory of 1144	1820	cmd.exe	taskkill.exe
PID 1820 wrote to memory of 1144	1820	cmd.exe	taskkill.exe
PID 1820 wrote to memory of 1144	1820	cmd.exe	taskkill.exe
PID 1820 wrote to memory of 1144	1820	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1712 wrote to memory of 1724	1712	FastPCV.tmp	Setup.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 1120 wrote to memory of 1556	1120	Faster.exe	installer.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 676 wrote to memory of 1472	676	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 2044	1556	installer.exe	msiexec.exe
PID 1556 wrote to memory of 2044	1556	installer.exe	msiexec.exe
PID 1556 wrote to memory of 2044	1556	installer.exe	msiexec.exe
PID 1556 wrote to memory of 2044	1556	installer.exe	msiexec.exe
PID 1556 wrote to memory of 2044	1556	installer.exe	msiexec.exe
PID 1556 wrote to memory of 2044	1556	installer.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
"C:\Users\Admin\AppData\Local\Temp\f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\FastPc\FastPc\Faster.exe
"C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635190589 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
4⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=720
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

C:\Users\Admin\AppData\Local\Temp\is-RTA4K.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RTA4K.tmp\vpn.tmp" /SL5="$700FE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=720
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
5⤵
- Loads dropped DLL
PID:2952

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
6⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
5⤵
- Loads dropped DLL
PID:3000

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
PID:3028

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Users\Admin\AppData\Local\Temp\note866.exe
"C:\Users\Admin\AppData\Local\Temp\note866.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"
3⤵
PID:940

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:2572

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 900
4⤵
- Runs ping.exe
PID:2812

C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe
"C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe" /Verysilent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\is-412H2.tmp\FastPCV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-412H2.tmp\FastPCV.tmp" /SL5="$101B0,138429,56832,C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe" /Verysilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe" /Verysilent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
5⤵
PID:2324

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
6⤵
- Kills process with taskkill
PID:2364

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:2428

C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
"C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
2⤵
PID:284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B19F15E9F1CFDBA54918857D246EF8A1 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5CC6918C176E224652B2C03CD918ADCE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:576

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:2108

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24A0A386A70F004EBAA881BB1B59E3AD M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2448

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d503d76-bbd8-09de-b2e8-655babfea669}\oemvista.inf" "9" "6d14a44ff" "00000000000003D8" "WinSta0\Default" "00000000000005B0" "208" "c:\program files (x86)\maskvpn\driver\win764"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1592

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000005DC" "00000000000005D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2224

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "00000000000003D8" "00000000000005C4" "00000000000005D8"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:780

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe
MD5
67f5ace6729be886c7073e6f5b8ed733

SHA1
23080698d1cf9d15cab783cf1d1bf2189da039af

SHA256
9b22eeefd387bc18361436831012a12ce5cf7754c9890adefde4ca3f8d0f30f4

SHA512
66b32f8af829e10baf09b041ca97b5b9b19f2b66dcc68e79ca3938392d4cb3bac4976a065a7dc357bf592ed611410659bfeeb14845ba58e185281f2957a795f3

Download Submit
C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe
MD5
67f5ace6729be886c7073e6f5b8ed733

SHA1
23080698d1cf9d15cab783cf1d1bf2189da039af

SHA256
9b22eeefd387bc18361436831012a12ce5cf7754c9890adefde4ca3f8d0f30f4

SHA512
66b32f8af829e10baf09b041ca97b5b9b19f2b66dcc68e79ca3938392d4cb3bac4976a065a7dc357bf592ed611410659bfeeb14845ba58e185281f2957a795f3

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
MD5
99b27a925c0111e6603125f6f905fb98

SHA1
733067d049660d98373ec0714df3c3382998f471

SHA256
4a3fe508a811a4c68c6423ff046ad60c98d091d83dcb3fb9557ef2aeb46608d6

SHA512
97aa83142234319b9f66240ce11805d4cb1a483d4b64eaa41a00ff3ee53634e009e9febada843af5e220db3a683d760e461ab998fcd11e8e40893cb7a9e1f9b1

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe
MD5
99b27a925c0111e6603125f6f905fb98

SHA1
733067d049660d98373ec0714df3c3382998f471

SHA256
4a3fe508a811a4c68c6423ff046ad60c98d091d83dcb3fb9557ef2aeb46608d6

SHA512
97aa83142234319b9f66240ce11805d4cb1a483d4b64eaa41a00ff3ee53634e009e9febada843af5e220db3a683d760e461ab998fcd11e8e40893cb7a9e1f9b1

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Faster.exe
MD5
73bce379e9a7786df4b844a0eb3ba127

SHA1
e0d78d21ccaa1085dfeb06bbebcfd362cc97d6f5

SHA256
083c8ebec80a4a652972b5899c03e4a41711cfa6e1c030654d39dc0f2a4e15e8

SHA512
95d0f242db72fd1748f8785c6b48b8c0855d9fb4ae26942af720864788b75afcaa5cf4c3cc96e900c1e87c54926c69ea3d5490b2235c7f70e04f85a71d46a9c4

Download Submit
C:\Program Files (x86)\FastPc\FastPc\Faster.exe
MD5
73bce379e9a7786df4b844a0eb3ba127

SHA1
e0d78d21ccaa1085dfeb06bbebcfd362cc97d6f5

SHA256
083c8ebec80a4a652972b5899c03e4a41711cfa6e1c030654d39dc0f2a4e15e8

SHA512
95d0f242db72fd1748f8785c6b48b8c0855d9fb4ae26942af720864788b75afcaa5cf4c3cc96e900c1e87c54926c69ea3d5490b2235c7f70e04f85a71d46a9c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
82c84b49ec1ed0c40c42712d196590ea

SHA1
66e6e6f53c8eaf0b9a3210859a9b820f56fe5ba2

SHA256
d6e4dc21be32a086c4a3d0410e0748102b7c9cbcc2833d05c27282cf785e21a7

SHA512
81b63ee6d8eb9ba0f4fb712bb222852468c6cfe42bc0432cfa107694fa94d27b2cc61bd4d01bb988275250bf71e67c1b7922981a56a454d4d2c9c1c1c8f26964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
be7147c68f1191cbf918b1e79bddbcc6

SHA1
32df9a89667ef742f25294da2c8bf0d00b746fb9

SHA256
4b6c03b8b0bab5c82a60cf24d6c35a52ce35ff91b5986961637a6d14e1f2536f

SHA512
591118f45798be017b3c9063a89c7d77e6bacfdf5a0afa278d87c2efa6f8da7c5057b78a2157c24f65a777eeffaaefb0d458404e2121c966bc0bce87e5e758df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
8a16c7f038c6eb7936c5649169012b27

SHA1
0b6553d302eb03b74b82079cb482d5e9714fc88e

SHA256
d158bdba54d2b1a6aba6712dec9a5f08a1020c1810a3fadb1bb82828e6629c2b

SHA512
8f4031899be140c68b6e3779861cb283688aa5d55e561c0b2665e54ae761bb4a22e4dc9f800d3706d3c79c18c335c3840c91d366c43d6d9e68d0e003c5b2387f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ab623e0a2c8c476a6e805edf85e046a8

SHA1
27145dffe37be9b41ccaef981fb5bb915b19c82f

SHA256
644a8e5839cdc33cea3ec074b60e85bc40a82c8aa0b06921f16fd8840bd5c051

SHA512
093234b25408aad72d98622e3cc8f43492d9c37061945eca787a68b3580cf5e36eeebc3f3bf0213dd616cd02ca88a0f60fd1a8bb7b6e9e525bedc6a99c9ad8a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2b7329ed81043d2b0627aa4128fbc2e6

SHA1
1bbcb8f2d0d0e51236685c3684b2e0b69a7223c8

SHA256
3d78f72b497a1ba1519c9b05a5eb662d1bdc4f6627741b28c1713f992b69d51f

SHA512
a79019ed8b3fa4e9799e96a8ea60a4647a0de0559a42b9957de8ae446aa1681dd6a14169e98cb2e23083412add920527f7210e815318789d4f1daeea77c233c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
77f831e5e3533babf4a2fb58dcfdb273

SHA1
dca93f3e22912ff8dd152fc8c64b2c99198b8374

SHA256
c587de25a44668e6d66d81770c0ec3e77b14278eda59d5ec4ecc96d31865abff

SHA512
0f276e7fb6a88022d1c1380c7b0c78f4d9c5f18d0abe5eed64cca0a647013032fda832810f8a86043891b15a55741f65b5798dc0739ab692f387873f114330a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
753c80d3f5102e1f0667542d41ec3a8c

SHA1
47fac4833e1709d25df8e176d780fcd72602d377

SHA256
dd12fd135a16fdcb1721933c724be36bac0c4d34855ccf8f704383213e77e1ab

SHA512
cbecf1e600d5f0b3a35a18c6b6e29e68500b68b792d41247cb419d395106ec1ff42986aef4ca24c834ec51845e5dbee2ee96e79420cae8c8da6506dcdadef19c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
fcc50794ba7b2b0523ad9738e3af6635

SHA1
6806dacacfa27a1d0249934550f12235ef0e2219

SHA256
3b7d1259d207a2db8c5c125d5c44b309eb876977afec6b3931d7ace9e01812de

SHA512
1475439f175d6ebfa28574371956bfafd8c6dbc1a81cb2651889b5843e30279eee4fec0dfa53679b6ab6d57d7add20ec6a26ffa1504c0d3adaa6582f66740bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
13e51986161054599431c852f227d376

SHA1
fe650111de3c8f2bcfd11010645301b24eb89c5d

SHA256
6677b133016dfcdadc2e84756161f0cf3073ef9f871fd6b1a65954715fa161c2

SHA512
e3ce76c95a56d797be95470bdaf4c9b612a4bb0e31de7369e86fe385f1b488d1b058fbf34aea187793d76fb1d8b7ab05aa9ce507c9b61fce0b3a6f62831023ed

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
0763bfda669033ec3c2d5525d285854d

SHA1
5ee1a9a02c75023a7c5e6c387bbd62c6b068def0

SHA256
8398719c784586ec94445c15d74d2a9749fc698f918100f8b0d8e30d530a5be7

SHA512
c279e07367bc66491e783befd4756f84154f32bb0bfe4198da400e0bd308966489652f6372e2bcb83824b2ad7615c0dfe0dbce8849ec129df726d8381f6fa424

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2D1A.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E63.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-412H2.tmp\FastPCV.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
MD5
4d69306dbe6feb5bd4706c2a41743ea4

SHA1
db47a38722877aff693984536f4828d1dc9fea4b

SHA256
05b400730f117741f31f17c930eaec4c6ec36af3498c7769fd79bca733a887f8

SHA512
f21c2d673afaf18fdb468553fc9f8cb924722682f1dd173f0d25752e024324d03b4e38ce941c3fa44127ab6bad15426a969e4f125599e2a155667b7db1edd43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
MD5
4d69306dbe6feb5bd4706c2a41743ea4

SHA1
db47a38722877aff693984536f4828d1dc9fea4b

SHA256
05b400730f117741f31f17c930eaec4c6ec36af3498c7769fd79bca733a887f8

SHA512
f21c2d673afaf18fdb468553fc9f8cb924722682f1dd173f0d25752e024324d03b4e38ce941c3fa44127ab6bad15426a969e4f125599e2a155667b7db1edd43c

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
C:\Windows\Installer\MSI3813.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI3AD2.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI3B50.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI3C69.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI3CE7.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI3DE2.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Windows\Installer\MSI3F59.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI40A2.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI414E.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI4278.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Program Files (x86)\FastPc\FastPc\FastPCV.exe
MD5
67f5ace6729be886c7073e6f5b8ed733

SHA1
23080698d1cf9d15cab783cf1d1bf2189da039af

SHA256
9b22eeefd387bc18361436831012a12ce5cf7754c9890adefde4ca3f8d0f30f4

SHA512
66b32f8af829e10baf09b041ca97b5b9b19f2b66dcc68e79ca3938392d4cb3bac4976a065a7dc357bf592ed611410659bfeeb14845ba58e185281f2957a795f3

Download Submit
\Program Files (x86)\FastPc\FastPc\Fast_.exe
MD5
99b27a925c0111e6603125f6f905fb98

SHA1
733067d049660d98373ec0714df3c3382998f471

SHA256
4a3fe508a811a4c68c6423ff046ad60c98d091d83dcb3fb9557ef2aeb46608d6

SHA512
97aa83142234319b9f66240ce11805d4cb1a483d4b64eaa41a00ff3ee53634e009e9febada843af5e220db3a683d760e461ab998fcd11e8e40893cb7a9e1f9b1

Download Submit
\Program Files (x86)\FastPc\FastPc\Faster.exe
MD5
73bce379e9a7786df4b844a0eb3ba127

SHA1
e0d78d21ccaa1085dfeb06bbebcfd362cc97d6f5

SHA256
083c8ebec80a4a652972b5899c03e4a41711cfa6e1c030654d39dc0f2a4e15e8

SHA512
95d0f242db72fd1748f8785c6b48b8c0855d9fb4ae26942af720864788b75afcaa5cf4c3cc96e900c1e87c54926c69ea3d5490b2235c7f70e04f85a71d46a9c4

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\INA2C8D.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2D1A.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2E63.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\is-412H2.tmp\FastPCV.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
MD5
4d69306dbe6feb5bd4706c2a41743ea4

SHA1
db47a38722877aff693984536f4828d1dc9fea4b

SHA256
05b400730f117741f31f17c930eaec4c6ec36af3498c7769fd79bca733a887f8

SHA512
f21c2d673afaf18fdb468553fc9f8cb924722682f1dd173f0d25752e024324d03b4e38ce941c3fa44127ab6bad15426a969e4f125599e2a155667b7db1edd43c

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
MD5
4d69306dbe6feb5bd4706c2a41743ea4

SHA1
db47a38722877aff693984536f4828d1dc9fea4b

SHA256
05b400730f117741f31f17c930eaec4c6ec36af3498c7769fd79bca733a887f8

SHA512
f21c2d673afaf18fdb468553fc9f8cb924722682f1dd173f0d25752e024324d03b4e38ce941c3fa44127ab6bad15426a969e4f125599e2a155667b7db1edd43c

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
MD5
4d69306dbe6feb5bd4706c2a41743ea4

SHA1
db47a38722877aff693984536f4828d1dc9fea4b

SHA256
05b400730f117741f31f17c930eaec4c6ec36af3498c7769fd79bca733a887f8

SHA512
f21c2d673afaf18fdb468553fc9f8cb924722682f1dd173f0d25752e024324d03b4e38ce941c3fa44127ab6bad15426a969e4f125599e2a155667b7db1edd43c

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\Setup.exe
MD5
4d69306dbe6feb5bd4706c2a41743ea4

SHA1
db47a38722877aff693984536f4828d1dc9fea4b

SHA256
05b400730f117741f31f17c930eaec4c6ec36af3498c7769fd79bca733a887f8

SHA512
f21c2d673afaf18fdb468553fc9f8cb924722682f1dd173f0d25752e024324d03b4e38ce941c3fa44127ab6bad15426a969e4f125599e2a155667b7db1edd43c

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SEMV8.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSI3813.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI3AD2.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI3B50.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI3C69.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI3CE7.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI3DE2.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Windows\Installer\MSI3F59.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI40A2.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI414E.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
memory/284-75-0x0000000000000000-mapping.dmp

Download
memory/576-149-0x0000000000000000-mapping.dmp

Download
memory/676-126-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download
memory/940-243-0x0000000000000000-mapping.dmp

Download
memory/1120-103-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/1120-109-0x000000001AB56000-0x000000001AB75000-memory.dmp

Filesize
124KB

Download
memory/1120-85-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1120-114-0x000000001AB75000-0x000000001AB76000-memory.dmp

Filesize
4KB

Download
memory/1120-57-0x0000000000000000-mapping.dmp

Download
memory/1144-76-0x0000000000000000-mapping.dmp

Download
memory/1172-223-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/1172-216-0x0000000000000000-mapping.dmp

Download
memory/1172-218-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1172-222-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1172-225-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1172-221-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1320-102-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1320-83-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1320-65-0x0000000000000000-mapping.dmp

Download
memory/1472-130-0x0000000000000000-mapping.dmp

Download
memory/1472-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download
memory/1556-121-0x000000006E421000-0x000000006E423000-memory.dmp

Filesize
8KB

Download
memory/1556-124-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1556-117-0x0000000000000000-mapping.dmp

Download
memory/1712-100-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/1712-87-0x00000000721E1000-0x00000000721E3000-memory.dmp

Filesize
8KB

Download
memory/1712-71-0x0000000000000000-mapping.dmp

Download
memory/1712-80-0x00000000007D0000-0x000000000080C000-memory.dmp

Filesize
240KB

Download
memory/1712-82-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1712-89-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1712-88-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1712-101-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/1712-91-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1712-98-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/1712-99-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/1712-96-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/1712-97-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/1712-95-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/1712-93-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1712-94-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/1712-92-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1712-90-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1724-128-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1724-105-0x0000000000000000-mapping.dmp

Download
memory/1724-113-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1724-127-0x0000000004080000-0x0000000004180000-memory.dmp

Filesize
1024KB

Download
memory/1780-248-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1780-246-0x0000000000000000-mapping.dmp

Download
memory/1820-73-0x0000000000000000-mapping.dmp

Download
memory/2040-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/2044-137-0x0000000000000000-mapping.dmp

Download
memory/2108-154-0x0000000000000000-mapping.dmp

Download
memory/2324-173-0x0000000000000000-mapping.dmp

Download
memory/2364-175-0x0000000000000000-mapping.dmp

Download
memory/2428-177-0x0000000000000000-mapping.dmp

Download
memory/2448-179-0x0000000000000000-mapping.dmp

Download
memory/2524-215-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2524-206-0x0000000000000000-mapping.dmp

Download
memory/2524-210-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2524-213-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2524-211-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2524-212-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2524-207-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2524-208-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2572-244-0x0000000000000000-mapping.dmp

Download
memory/2584-230-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/2584-238-0x00000000340F0000-0x0000000034148000-memory.dmp

Filesize
352KB

Download
memory/2584-236-0x0000000033F90000-0x00000000340E8000-memory.dmp

Filesize
1.3MB

Download
memory/2584-235-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2584-234-0x0000000033520000-0x00000000336E6000-memory.dmp

Filesize
1.8MB

Download
memory/2584-227-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2584-232-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2584-231-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/2660-240-0x0000000000000000-mapping.dmp

Download
memory/2660-242-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2812-181-0x0000000000000000-mapping.dmp

Download
memory/2812-245-0x0000000000000000-mapping.dmp

Download
memory/2812-187-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2836-193-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-195-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-199-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-189-0x0000000006F50000-0x0000000007230000-memory.dmp

Filesize
2.9MB

Download
memory/2836-198-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2836-201-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2836-197-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-185-0x0000000000000000-mapping.dmp

Download
memory/2836-196-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-192-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-200-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-194-0x0000000007E00000-0x0000000007E04000-memory.dmp

Filesize
16KB

Download
memory/2836-188-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2952-202-0x0000000000000000-mapping.dmp

Download
memory/2980-203-0x0000000000000000-mapping.dmp

Download
memory/3000-204-0x0000000000000000-mapping.dmp

Download
memory/3028-205-0x0000000000000000-mapping.dmp

Download