Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
AtlasVPN-x64.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AtlasVPN-x64.msi
Resource
win10v2004-20240226-en
General
-
Target
AtlasVPN-x64.msi
-
Size
79.2MB
-
MD5
04cc95b57c3905f853003fd1ce01ac8e
-
SHA1
4cd11a3dc0f85c8f68019e311c34c065fcda3638
-
SHA256
a43f06f6e4b469bb80aa085bf7940b277c60d025ad16716f5bf88620caeb46e2
-
SHA512
1fc25a2e2e31e788ede5df877b5674784ffefc846d250788e5d012c949e41df50299d540955663f500ae42d1af78ef6f65b0ff8edb8cbdbd48dd1079567f64d4
-
SSDEEP
1572864:s63jKGuwEOAQQzZDGWDNbutRUtg7fsP2UTdFZ0ogbKpVD5ImV59L3AD:s6furNQQzZDJDNbuDr7fATdFaNEVD51E
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 1812 msiexec.exe 10 1812 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation AtlasVPN.exe -
Deletes itself 1 IoCs
pid Process 4840 AtlasVPN.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\wintun.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\AtlasVPN\Bin\System.Runtime.Serialization.Xml.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Castle.Core.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Serilog.Formatting.Compact.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.VisualBasic.Core.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.ObjectModel.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Xml.Linq.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\PresentationFramework-SystemXml.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.DependencyModel.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\PresentationFramework-SystemXmlLinq.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Text.Json.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\api-ms-win-core-namedpipe-l1-1-0.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Threading.Thread.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.VisualBasic.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.IO.Compression.Brotli.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\api-ms-win-crt-utility-l1-1-0.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.Json.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.VisualBasic.Forms.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Diagnostics.Contracts.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\api-ms-win-crt-process-l1-1-0.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.EntityFrameworkCore.Abstractions.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\ru-RU\AtlasVpn.Resources.resources.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Threading.Timer.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.Http.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Windows.Presentation.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Diagnostics.EventLog.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.AppCenter.Crashes.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Resources.Extensions.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.KillSwitch.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Runtime.Handles.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.DiaSymReader.Native.amd64.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\PenImc_cor3.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Security.SecureString.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Text.RegularExpressions.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Windows.Forms.Design.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Net.Http.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.UserSecrets.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.IdentityModel.Abstractions.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\msquic.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Console.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Private.Uri.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Design.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Threading.Tasks.Parallel.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\pl-PL\AtlasVpn.Resources.resources.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.Analytics.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\clrjit.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\DotNetKit.Wpf.AutoCompleteComboBox.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.DependencyInjection.Abstractions.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Options.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Globalization.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Linq.Parallel.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Transactions.Local.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Net.ServicePoint.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\e_sqlite3.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\es-ES\AtlasVpn.Resources.resources.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\Microsoft.Xaml.Behaviors.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Globalization.Calendars.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Memory.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\H.NotifyIcon.Wpf.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\PresentationCore.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\System.Net.NetworkInformation.dll msiexec.exe File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.Analytics.AppCenter.dll msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5C97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72D1.tmp msiexec.exe File created C:\Windows\Installer\e584da0.msi msiexec.exe File created C:\Windows\Installer\e584d9e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5270.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5753.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI88DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5AD0.tmp msiexec.exe File created C:\Windows\Installer\{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}\icon.ico msiexec.exe File created C:\Windows\Installer\wix{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\MSI5B7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6F74.tmp msiexec.exe File opened for modification C:\Windows\Installer\e584d9e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662} msiexec.exe File opened for modification C:\Windows\Installer\MSI5A81.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4048 AtlasVPN.Worker.exe 4840 AtlasVPN.exe -
Loads dropped DLL 64 IoCs
pid Process 3948 MsiExec.exe 3948 MsiExec.exe 3948 MsiExec.exe 3948 MsiExec.exe 3948 MsiExec.exe 3624 MsiExec.exe 3624 MsiExec.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 3948 MsiExec.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe -
Registers COM server for autorun 1 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" AtlasVPN.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 AtlasVPN.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" AtlasVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 AtlasVPN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 49 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\DefaultIcon\ = "C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe,1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\ = "URL:AtlasVPN" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4} AtlasVPN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4} AtlasVPN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\3E5DBA08-7EC3-CC88-1F18-0CF79CE7ADE4\\Icon.png" AtlasVPN.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 AtlasVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell\open\command\ = "C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe %1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\ProductIcon = "C:\\Windows\\Installer\\{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}\\icon.ico" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B11830261906754BA51167924A9149E\F899FC23AC6CCAF4EB24A3C549CC6F26 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" AtlasVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\ProductName = "AtlasVPN" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B11830261906754BA51167924A9149E msiexec.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe AtlasVPN.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\IconBackgroundColor = "FFDDDDDD" AtlasVPN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F899FC23AC6CCAF4EB24A3C549CC6F26\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\PackageName = "AtlasVPN-x64.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4} AtlasVPN.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID AtlasVPN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" AtlasVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F899FC23AC6CCAF4EB24A3C549CC6F26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\AppId = "{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}" AtlasVPN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\RunAs = "Interactive User" AtlasVPN.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\DisplayName = "AtlasVPN" AtlasVPN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Version = "33882122" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\CustomActivator = "{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}" AtlasVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Media msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\Has7.0.1Fix = "1" AtlasVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell\open msiexec.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId AtlasVPN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\PackageCode = "68D6C35BB1910104285DA6F477D4ACD8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 AtlasVPN.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3948 MsiExec.exe 3948 MsiExec.exe 3548 msiexec.exe 3548 msiexec.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe 4048 AtlasVPN.Worker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1812 msiexec.exe Token: SeIncreaseQuotaPrivilege 1812 msiexec.exe Token: SeSecurityPrivilege 3548 msiexec.exe Token: SeCreateTokenPrivilege 1812 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1812 msiexec.exe Token: SeLockMemoryPrivilege 1812 msiexec.exe Token: SeIncreaseQuotaPrivilege 1812 msiexec.exe Token: SeMachineAccountPrivilege 1812 msiexec.exe Token: SeTcbPrivilege 1812 msiexec.exe Token: SeSecurityPrivilege 1812 msiexec.exe Token: SeTakeOwnershipPrivilege 1812 msiexec.exe Token: SeLoadDriverPrivilege 1812 msiexec.exe Token: SeSystemProfilePrivilege 1812 msiexec.exe Token: SeSystemtimePrivilege 1812 msiexec.exe Token: SeProfSingleProcessPrivilege 1812 msiexec.exe Token: SeIncBasePriorityPrivilege 1812 msiexec.exe Token: SeCreatePagefilePrivilege 1812 msiexec.exe Token: SeCreatePermanentPrivilege 1812 msiexec.exe Token: SeBackupPrivilege 1812 msiexec.exe Token: SeRestorePrivilege 1812 msiexec.exe Token: SeShutdownPrivilege 1812 msiexec.exe Token: SeDebugPrivilege 1812 msiexec.exe Token: SeAuditPrivilege 1812 msiexec.exe Token: SeSystemEnvironmentPrivilege 1812 msiexec.exe Token: SeChangeNotifyPrivilege 1812 msiexec.exe Token: SeRemoteShutdownPrivilege 1812 msiexec.exe Token: SeUndockPrivilege 1812 msiexec.exe Token: SeSyncAgentPrivilege 1812 msiexec.exe Token: SeEnableDelegationPrivilege 1812 msiexec.exe Token: SeManageVolumePrivilege 1812 msiexec.exe Token: SeImpersonatePrivilege 1812 msiexec.exe Token: SeCreateGlobalPrivilege 1812 msiexec.exe Token: SeBackupPrivilege 3744 vssvc.exe Token: SeRestorePrivilege 3744 vssvc.exe Token: SeAuditPrivilege 3744 vssvc.exe Token: SeBackupPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeRestorePrivilege 3548 msiexec.exe Token: SeTakeOwnershipPrivilege 3548 msiexec.exe Token: SeShutdownPrivilege 3624 MsiExec.exe Token: SeDebugPrivilege 4048 AtlasVPN.Worker.exe Token: SeBackupPrivilege 4252 srtasks.exe Token: SeRestorePrivilege 4252 srtasks.exe Token: SeSecurityPrivilege 4252 srtasks.exe Token: SeTakeOwnershipPrivilege 4252 srtasks.exe Token: SeBackupPrivilege 4252 srtasks.exe Token: SeRestorePrivilege 4252 srtasks.exe Token: SeSecurityPrivilege 4252 srtasks.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1812 msiexec.exe 1812 msiexec.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe 4840 AtlasVPN.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3548 wrote to memory of 4252 3548 msiexec.exe 102 PID 3548 wrote to memory of 4252 3548 msiexec.exe 102 PID 3548 wrote to memory of 3948 3548 msiexec.exe 104 PID 3548 wrote to memory of 3948 3548 msiexec.exe 104 PID 3548 wrote to memory of 3948 3548 msiexec.exe 104 PID 3548 wrote to memory of 3624 3548 msiexec.exe 105 PID 3548 wrote to memory of 3624 3548 msiexec.exe 105 PID 3548 wrote to memory of 3624 3548 msiexec.exe 105 PID 1812 wrote to memory of 4840 1812 msiexec.exe 108 PID 1812 wrote to memory of 4840 1812 msiexec.exe 108 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AtlasVPN-x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe"C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4840
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 203F8C45225E572EEA8D70A4F67944442⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A2B9780F1B5C920FC6827C4BB187CBF6 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe"C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD5bea12e9de6e97f2de33ab59cfc27e989
SHA13a98d60932474d42cb898bb5506b1cc24966ed4d
SHA2566d2be05bd889c67dbd94ac052ad1aff1e705beebc31ad6b5320b405cd376132b
SHA51234f65e2d3cc391a21cb45d832d39e41f17124cddc878c9a3599a6b0c0f7669c97492d5d58b6105df4474d399f1364fcd25bdb1f651ef76c632c6f01d6a445305
-
Filesize
90KB
MD5a42c611b95071afa4389d300dbaa3815
SHA15780d725d5252ebdb796139ca7347230562a9d36
SHA256daf5ffa62a414c28b36639ccecc4ba6c7fe7701d97c9635bbde4b81b870afd02
SHA512614c089ec841a83b7d6fb2d2ff6f95314dd11acda23a0c58a127400e2d46084a1f3ff83630c081795b96b5917c950bd37791f27cc6a88d27aca710a7e66bc4cf
-
Filesize
41KB
MD50df08decc25a91512bc70d81ac924958
SHA15d46505e14902af75fedbf1abbc27110b5ce9016
SHA25630f9f78cc7297d1e532728333879dc26bcc994a2e8d59e61c716b4d5cb3285b9
SHA51257bfec68e9b73ace7a2155431572bde71396815148294134cf29fb8e031c1be36dce93c4fc48b0c882242553a96334788139a46bdcf673b484b63910ba183238
-
Filesize
156KB
MD57230ebcb7408229b38e3701ac080ec6f
SHA1305a0d692b496ce2a2f944341760e706e08d19a3
SHA2566a77498528617c4e175b6fe3dc2150824a3ca402ec80b3ed9f962a42651b5eb3
SHA512efe98c0fc88923d1bd8b91b03dc405dd68a35af4b5b4e38af055709456929d1e1e317fb67a86da260c121af764810f720ce3eb25a01751659653805631bb6f2f
-
Filesize
285B
MD5f7906ead35c5f8c7a7dfcd41d5ff7a1c
SHA1e752a36622c3af57aaf0ee16b83472520b78891c
SHA256a4eaf0e7d87dcc9be4223dd48a1271803168d913a4daf48ccc87741b15c8cb6e
SHA512ed2e4a178b3af62a60f97dd30954ddb04a7ebb35769ab470f6625abd18bfe75f26a1593989e5c3f3e8c09df5e87681a2494b954db648db758a4ce9a87b31145d
-
Filesize
262KB
MD5964d107dba331fed23aa470c17b5fc56
SHA1f8352c6186a75f2000898ea1067f2f184874f12c
SHA2563f2942dff00fabb722dddb25dbf08220135b2de08612e0d70befa641da6e3000
SHA5127e372368a9f469a8212b1bea0889e94956cf1bb383ff5a0bce7beb9b7ce9e8dde9f08ae6946553e1a7373ed36a2120ca8ab21a761ae974d151584af0cff1107b
-
Filesize
27KB
MD5873e110bbc4ae372fa3793498d1d4bcd
SHA1028234df7dd6ae16214db188cf5c36da6dd52b69
SHA256b65434fdeea9d06813acdc6dfe247caf849a7af0398f4d8283cbd593aef9ffb3
SHA5120a443743c83acd398f9e380a598b9dd593c55c1e2f1e41f2b8259aca7a58af2511a737aaff7d13fcf843fd70dc42b5419364a6608506f1cc2bc8f0b08598be8e
-
Filesize
45KB
MD52a38e7511ab15677b1cbeed422945807
SHA121eabf2071a7f68e6befa3599afff37f8cf4e459
SHA2566803c4afe8c332c32d36718a8441bd52595ef5fdb36d38ccb31db9606fa5f358
SHA5121d4beb0d834ec82ac67e1d4dacaf4301bfbcbdcb1317db187926881f2180bf5994b471f3378e915d193457c50d3abb7d44be39955a9ae8dbc3138c21f5e351d5
-
Filesize
82KB
MD59e6c9b146fdee01e0646dec2a800f243
SHA15a3efde449c3ec84a96bf78f156e819e7344218c
SHA2560c2726556a69f9fa86c4beee8fed28fd59be0cc244c5bec739bc9cb473c12d14
SHA51299088a11dd3ddf20a16a39a8eabd49a6b28f0131cd1f6c368f4a3281acd51f0cc11d2c1bf529544cabf0f611d07c32ad65f8bda6488856f8cb19f6e951fa8e31
-
Filesize
29KB
MD576f063d908a0651de1ed19dab6cbae88
SHA19805ba207ca12fb7bbd164f3999ecd050875c202
SHA256c1819c835bd64ba2e55b38998f78556628e284e043ca1af466f2fc21f1597ad2
SHA512b69a38e37e4b35e9602d6c20e3eb4abb7ba4b392a284b22e857f117f50ea9a1c09baa5663851c7dcaeb93ea95f2707b232ad6b106f072248c0a01f64a7f12161
-
Filesize
24KB
MD5958055384e0bd351a40e015407f020a3
SHA188fa04892caca08a8146ded2d8566eb4b7cd42bd
SHA256de631c863a6cd73ee6801e8ec435f42cc2fef3213840c59c2821a933d177dd06
SHA512a7a25e12563007404211bc882e001a324a38850d8ff6a7355b304d6eb7c7f1141cd50c691e1948c2f9680ad5b9c581895bf587ce3c1b5502be22c2cfb67fba40
-
Filesize
56KB
MD5e71c0ae43b88404aa97acb5e3dc5e10a
SHA1b56fbae1d44d6d0aa82157000c8c7483f623de2c
SHA2569ed8aa21d7bcc20587fc583e25c42cdeb0d739276f30873219b5391f24e48c79
SHA5122f546219e834b10bfdeafff3c3d904a2cf97c17987a568e36d7e21149ac79316a0fbcf5e963779e7fe8b8eb277c300508548c30c6492381951e0b80752a4b674
-
Filesize
46KB
MD5bc2ffd86629d21e4156877b980318501
SHA163412c795b13ecb5680385c13b536849f7e7c582
SHA256f7a667ce93dd33306aaa60f75061a9d9bd7f9358680968a3ceadebc2b29113f3
SHA51290fb55e653cd77fb1993e228b48cb3da98fa45d65e40e88e6a86246514589b8a447460c81737b0ffdda74bfb5ce06c1a9764bef92f42d0cad74cc5914aa79f2e
-
Filesize
27KB
MD54b5386234df977c229cb485374b357a7
SHA18e61b051c7e8e934ac818af8653c52955afed92c
SHA256b6aa9a20d7c15bb62ed2f20561eb2ee6fa143512e09e714e3b4e00ef9d468b97
SHA51219c5bcdd21941c9642f063e8ed23e88a5b6612cad11a5fe2fdcf740d2ab56fb20944c9ceb20f4cceded092f9c890b8dac766e2b2d57d092542caab3ebf8c3619
-
Filesize
260KB
MD510603fba914f7f9d7478300b5ce4359a
SHA15beb8f6ee7e87c87ed921580f44f7f67235695d9
SHA256262cc8ec5ebdb04f7352e60ebeb7a6e6a483db18d955c41265a5935f86d7e86b
SHA512a96afc074a097b800e27518a953341cead8151becceffdcb440ac63a9f2c6794c502eeda1cc58b2a55f5d19461e55034be7eb94532d3d3ad23a4f6a3542ea552
-
Filesize
75KB
MD5ae565ae84112eea16a60bb8e9c6e3c2f
SHA11c82eaf0b6e5c5e3d308c733f8a10a8333a59361
SHA2569da3719f34fff3474eeaba9eab2a30ba53e9e0672980407b4ccec52f5dd6dbe8
SHA512269ac24da2448540b08ae90be1affb2778b01c181edf6c91b82ea88f1f7bffcf260858359f6dd3c0ad7ba86c2eca5d670617dd45a7dd6bf6e85d22655283f010
-
Filesize
19KB
MD5e8fbac1e2ac141d99c85c8755d8ef48a
SHA163d84eec5778a1fc9b99e014a3fb30b15b9ea5b6
SHA25658dd442c5b189056fcb9033c7e9d022a58028bcf1f0c240745f6afcc8e6fae0d
SHA51285efc776cc113c884b24117f909989026443591afbba628318740287005eb50b8401d12a3044da68622257761aef32be687ed34eb9db7d9c4607d40cdda1a9f8
-
Filesize
373KB
MD5cf10c9c63972c5c95e7eb3612762fb15
SHA1c48f3ca57efee1e603dd257a515d91a380dc39bd
SHA2566e21f54987bbb9ac7805da6d94ddca7d61b4f59b9a9663f738f7c59d1f84ba2d
SHA512cfa8d64770efe296aa71cbe303e3d76b3ffaf87432281c010855a7979c9973942f690697d4b51daf6972eb32cb42b8cbe27e284e8235c3a35d13f409ebca3e88
-
Filesize
285KB
MD5b9835c96764bb5b2d246d0244620c451
SHA1fd1dd65b58a1111f507115c6b9b13f9030afdbd5
SHA2569dbd4b9df1dc1a41807143a45558f847415024e3e29297b2dfac9783495ad017
SHA51252d9969a65044a05ad0413a2cc797d61307d807a5838fd45a5f53aaa83626a6517a6c416578374160623e6ae2b56c52804d0262c7368d9c9f5557406c5b6d2db
-
Filesize
171KB
MD5e98a05eb7219dd4c5a09cbc0962759e4
SHA1a55a15153f709380b6f4fbe0ae1e4773c607c418
SHA256aede82dd7ee77314b1a491b1a9ca65c7cfcba7dc26bc8ea720b11063409441ba
SHA5129b9e414190671be3222c538cc94c69b3a3c6b4e1a63b0039541afada0c18d5586a82dabd02638a58416262543aa7b6f730da198250456c716235e808f1b2c812
-
Filesize
10.1MB
MD58d1ff4dbfbb56742076f90a2bc71985d
SHA1df27d00e109fff431d640511a82bb91bf86fe374
SHA2567cf2ba8d1b18f42b7da7b0ff5fc93740e959422e0e0dae4e374b2d4a2e5b5384
SHA512d676549cd95b4ffad9c523fd4e63dbabd0ef8ebbdcf526e4acb1e24974dff50345792c4450846c1e6874c7fb92330e242f87cf323a403f7444131fcf5c9aa87b
-
Filesize
32KB
MD5a856ce9a5ea297ba02b34dfe37bfb9bc
SHA1e0bd9431639a415d2315d33c1cf86bd4ab57563a
SHA2567ce50398eea6f292389ec13b5e9e8ff5417669d27b38d0f82f15dc51ccedb569
SHA512c719b7ee4f876a45be4878f66f7d16c44d0a32b234172e32316c75f350b2db2ea8dcd7181abf011a32976c058acdad51c1fa1c1c2a62bc1d0e610ed428aac048
-
Filesize
52KB
MD55bf2398f935183238f792aad6bb76905
SHA1e5f3e420ddedf9a52484f23513f508e32e524e35
SHA256f7ee44f2054383e86cdddc9bdbcc78725538ade9b676a61f062ca730c1d9de40
SHA51288654fa6b23ef4cecbbca6e7c7b5217d163863e4c7e62e597c855314a652af96f754090d8778989beae62f4db0f256c12c8593190da09eb5da79ee6319c1df4a
-
Filesize
43KB
MD54072097ef4af2a79fa1ad21cd9060488
SHA1a801ec968dcbb03a8c47f2cf8833d477417a000a
SHA25649f1f71a99aac0f1f9695bac37e501b4c91eea7dbd8a1896b8fa6d765991b246
SHA5127c7e1dc531b673cb46bb5dc938496d326d1f4c65a8498293ea49be6da79c77bcbe90be9b9febf2583f0b36cbbc7c0975075543674970deed3b4258cfd8256c5d
-
Filesize
79KB
MD56f97d62798c209488efb1a1262e02c0a
SHA13acc2b2570ccde709819808015070321c36891d9
SHA256356a5a0c308ed908779252f08b461ce8a68b2e111f994ffda7e560628270715d
SHA5124c5a33448a951e1d50b21fcb648f0d0b63051594a2a7c170529d5fdcef601bde10a9c6192cbf7273a054c53d99215b66d5d8380c6d93fd6e2d38287ec60dfd0c
-
Filesize
1.4MB
MD5b582610f6f2238ad2f870932442d55e7
SHA1ec0f039f250b3c41ec7367ecd11ff9f7c3af577b
SHA25633d1d5e413c0871c985d37e827f4620148d2c1e6d8c13960ad455b32c3d5e65e
SHA51252a3be870492c35015b32f03b1147d3350e53552d44c73de2e871d4f8e1eac5afc85a649d901010582eb8268ece43b76ec047eb36c91e758080a35ac69efea4f
-
Filesize
4.9MB
MD5219d43e2ecc74c6d89b23b3533278e42
SHA1dbe6a69160869f9541c2cddcb3e4c555fd61b21d
SHA2566b15e3d195f0ba048703841f3a7ded4973e45eb4337ea3358f243165b9c9d8bc
SHA512ce6bc498c7b86523ae902184773ed49e03932b2ebb4596583a6af037102605355759e55ad6d87708519ff924fa72805d16032838f06c8d848b7f5228580a8562
-
Filesize
368KB
MD59559634b72c43481c212bf4d1e8d5db2
SHA160c2ad0b36ff63dc459f8f4d41f39d76b572c967
SHA256d2ba2e9e265028993513b0830f515cf7fd6139965f9e40bac6338f9e2a53e7d1
SHA512b0ea22c4761a6971e5c6a3329d8fb49a8fe5a37c3f09d945c589f59d7f6ca9d72f715f2098bcc1ff17c647cd7419c9347999b185b5551e77f5e426509a428034
-
Filesize
384KB
MD522e0f186b5b630a0988f01730b7c4e9b
SHA1fcecdb4960db195b99028579a548cf1c20271410
SHA25602a7a787b52e8804d4008677e532843141340e7132a90251982027420b30e87b
SHA5120ba3bebf9e02ff60063df08c6f8dea995c5b60898ead08297a3d50e17d8dc7d9ca9e30d95ef81e1ca8a0a23f124c262be36644df419c185b5f27935762dd3781
-
Filesize
145KB
MD5c3b3a1854f889814c12f6cc6da40b5aa
SHA1553ad6cefa2348c71d6ba84b562a9c470631a0cc
SHA256a25e7a71d8ede9ad4727b0a74c0cb1ca8a8a9f79e6f5e6b6a7d26f75b61c2141
SHA51268d577858b28e057ef38f638a4983db6b6fb980d39f998536eff57623e8f87d99323ba3843eee22bfa356230366193827534eb0289fc484e438600d540b0039f
-
Filesize
100KB
MD530dca9c062efa8a31691efe3385f6e87
SHA18a62daa53b88b0b87043a10fcd6e84e7d348a591
SHA25681fa3c2943d987608233928a96c3167de59fdd239e75f18e2d4ebd5907d8b357
SHA5123a5b81faa6286f70baa2b80dd2d14a18b887951042039d653926e9d29ab658625f0d04d3830d11d45b73b4cf6830bb341265bc0db09580f12150c8aaae244ce2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_70C7C5399E13EE2B17865233A7698176
Filesize1KB
MD5f8a784ae449686a513e0c4e2584cb60a
SHA1f706d94d99119052f1ed0af03895f24caa2e07fe
SHA256883f1d78d771c47589eac13af88ce0ca404656fb132e7d44c6c9aba0a004c397
SHA51262b116255d9a89dac549de52b245e189ee0510b0814a79faa4ca8993abe4b87bb3d1c9f2d95313faa9f718202e470a17ce350a545c99f3288d8d0700195bea10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5f63bd70c0841c95d9093aa0e30bd04a5
SHA18efe41947c4ae392ea62f87e40c9426262911857
SHA256647370dc954f29363d2231eb873f1dfdd7ae5a2070794c233544aa34ca63d611
SHA51249455800de06573fd49c44cd59088761652868ae93cb22f711103ecac703011c21cd4b9ee2c6f3c7ffe5c83c5e14f927b0e74bede0f5409b726cfea33508d39a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_70C7C5399E13EE2B17865233A7698176
Filesize540B
MD5731bc0adc44dff65a52d85d9595ecd0b
SHA17ad622f5c17abc5d833eb50fda7f2f686a1c2f48
SHA2568ebd2dd357edc0fd9d7b613b5331b6174ea91f642c5279a7d2402b5fc9bf36c2
SHA51275db467a01408601ee294c7625591e1de3b021c3d33d014624a9bde7eef0fcef8966af3dbf02e1daeb0b736a4814e38255351124f527e7c85553773326c683f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD591a813f3596d7488faa8b5fe7f60f8ea
SHA1d83b9b46bd06cab97a78cb8e61e1a73dfb45af37
SHA256d4c93810c82f7c3565f058add9d0b52e44f8bd9d68befc23e87f96ffb14cabda
SHA5124e14cd39ecb1982c198908ded9df8869c1b9d2d1d065ced1174274587f6f0fe7dbd9bfc8a8627eaf2ad29b905a5420b5753b895d045a0472aa56b53f53282608
-
C:\Users\Admin\AppData\Local\AtlasVPN\AtlasVPN_StrongName_sk5dvgpwisbm4egbpxgjauge0zc5yymi\03jb5nuc.newcfg
Filesize339B
MD5b856b1c2833dae5e4512d372feddf831
SHA1d1bb66d06db43f93406aeac39b7cd35855ea6c9a
SHA2565faf9f8bfa96c8cdd25fa2869438f9daf133b5df116a8b77ce85d425d587af91
SHA512d6eb1817b5ed63f8059bd28088a5e075c5cd3b498aa92117fa90225bea92552e087f0f2032c319ebab5510a3f256b7ffe3a19d898c3ba824a3dfa61165498b42
-
C:\Users\Admin\AppData\Local\AtlasVPN\AtlasVPN_StrongName_sk5dvgpwisbm4egbpxgjauge0zc5yymi\AppCenter.config
Filesize199B
MD50fe1441adc7420783954d40eca829cb4
SHA1a1a33f73716f5f977473743035f757a3d03da690
SHA256dfcd24add844cc97521c5123f2b2ef51ac340a91013b532e43a7cd2f7eaea049
SHA512fd9dcaee4c9bab8cbb0a1fd4b3fac663b99aaa87542a5b94ca033402450714da023b8a0bfbb9cf8276090417dbfdd8dfecfd2fae26c37e37c57497bbbbb7d894
-
C:\Users\Admin\AppData\Local\AtlasVPN\AtlasVPN_StrongName_sk5dvgpwisbm4egbpxgjauge0zc5yymi\ygv0zplb.newcfg
Filesize270B
MD5b7d65ad3499547dc5ca366b07ce19896
SHA19531d07706504861b2f6c92504ab1a498cea6c6b
SHA2569b091cad17cbab97f6a5ffdb8ff11ed540820fa50542335185ffce1fc33aa0e9
SHA512a3e3252fe4d128a817167d72a2b857d602329b036b7b42ac34fe8f39d562380d1b84e8df23f762de3702b5d7e55d6a107d6fad50b138e73b78aba1e434783aec
-
Filesize
1KB
MD5af36cad66920ea0fbbcd7ee8ad681dc6
SHA18bb9ce34d950ace8c610d1c67af5b7cad2b26e23
SHA256c33e5e2472ed34576c889a27a46d90ca849a8f9dbf69a7ef6791ef826680f950
SHA512b069e6fcb08b22031410d261d298b398501e78e81ea413cd842e95ddb030703f0292c58c76ce9144e4aa54a764d0a4e03c34c12986e3cea5021a65ac7b1b3433
-
Filesize
1KB
MD5379a301592736712c9a60676c50cf19b
SHA1c103790503bf8c2ff3f119adee027ebb429b9d21
SHA256cc7400692bd90e1b5fc44e11c8dd7c788cbb462f52ea3f3decb579e4d51eb268
SHA512dec25a31f2930eb575a43e654c29f170c261c1c4516767c0e71cc172ad6ad115914fb58d9cd79f681ff3d7c6baa6b7c0d6de99de09d7582c9807ae436f15572f
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
-
Filesize
224KB
MD54837bbfa20c65ac97910388f07d1785e
SHA1e066a3d68c8a5c099633f22a32e22cb8c4f24d8c
SHA25629b9f6167ea343f279c7ebafa18f8fba0fa8c3c21f9f33e7741452c856d45664
SHA51291cade5a43fedce4c06e21cd68023ad13ecc18ddf34379544f8111569868980d3852e93d8f0ccbb013df317f9ee1ac97d9a16862878371ec2cb0fd51b3468037
-
Filesize
79.2MB
MD504cc95b57c3905f853003fd1ce01ac8e
SHA14cd11a3dc0f85c8f68019e311c34c065fcda3638
SHA256a43f06f6e4b469bb80aa085bf7940b277c60d025ad16716f5bf88620caeb46e2
SHA5121fc25a2e2e31e788ede5df877b5674784ffefc846d250788e5d012c949e41df50299d540955663f500ae42d1af78ef6f65b0ff8edb8cbdbd48dd1079567f64d4