Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1jsq4ace42
Target AtlasVPN-x64.msi
SHA256 a43f06f6e4b469bb80aa085bf7940b277c60d025ad16716f5bf88620caeb46e2
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a43f06f6e4b469bb80aa085bf7940b277c60d025ad16716f5bf88620caeb46e2

Threat Level: Shows suspicious behavior

The file AtlasVPN-x64.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Blocklisted process makes network request

Enumerates connected drives

Deletes itself

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Drops file in Program Files directory

Registers COM server for autorun

Enumerates physical storage devices

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:41

Reported

2024-04-06 21:44

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AtlasVPN-x64.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AtlasVPN-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab15B4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar15C7.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar16F7.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:41

Reported

2024-04-06 21:44

Platform

win10v2004-20240226-en

Max time kernel

119s

Max time network

118s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AtlasVPN-x64.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wintun.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\AtlasVPN\Bin\System.Runtime.Serialization.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Castle.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Serilog.Formatting.Compact.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.VisualBasic.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.ObjectModel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Xml.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\PresentationFramework-SystemXml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.DependencyModel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\PresentationFramework-SystemXmlLinq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Text.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\api-ms-win-core-namedpipe-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Threading.Thread.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.VisualBasic.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.IO.Compression.Brotli.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.VisualBasic.Forms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Diagnostics.Contracts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.EntityFrameworkCore.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\ru-RU\AtlasVpn.Resources.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Threading.Timer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.Http.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Windows.Presentation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Diagnostics.EventLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.AppCenter.Crashes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Resources.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.KillSwitch.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Xml.Serialization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Runtime.Handles.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.DiaSymReader.Native.amd64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\PenImc_cor3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Security.SecureString.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Text.RegularExpressions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Windows.Forms.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Net.Http.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.UserSecrets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.IdentityModel.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\msquic.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Console.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Private.Uri.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Threading.Tasks.Parallel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\pl-PL\AtlasVpn.Resources.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.Analytics.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\clrjit.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\DotNetKit.Wpf.AutoCompleteComboBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Options.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Globalization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Linq.Parallel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Transactions.Local.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Net.ServicePoint.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\e_sqlite3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\es-ES\AtlasVpn.Resources.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\Microsoft.Xaml.Behaviors.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Memory.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\H.NotifyIcon.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\PresentationCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\System.Net.NetworkInformation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\AtlasVPN\Bin\AtlasVPN.Analytics.AppCenter.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C97.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI72D1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584da0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584d9e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5270.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5753.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88DA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5AD0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI5B7D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F74.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e584d9e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5A81.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\DefaultIcon\ = "C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe,1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\ = "URL:AtlasVPN" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4} C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4} C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\3E5DBA08-7EC3-CC88-1F18-0CF79CE7ADE4\\Icon.png" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell\open\command\ = "C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe %1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\ProductIcon = "C:\\Windows\\Installer\\{32CF998F-C6CA-4FAC-BE42-3A5C94CCF662}\\icon.ico" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B11830261906754BA51167924A9149E\F899FC23AC6CCAF4EB24A3C549CC6F26 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\ProductName = "AtlasVPN" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B11830261906754BA51167924A9149E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\IconBackgroundColor = "FFDDDDDD" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F899FC23AC6CCAF4EB24A3C549CC6F26\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\PackageName = "AtlasVPN-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4} C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32\ = "\"C:\\Program Files\\AtlasVPN\\Bin\\AtlasVPN.exe\" -ToastActivated" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F899FC23AC6CCAF4EB24A3C549CC6F26 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\AppId = "{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\RunAs = "Interactive User" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\DisplayName = "AtlasVPN" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Version = "33882122" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\CustomActivator = "{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/AtlasVPN/Bin/AtlasVPN.exe\Has7.0.1Fix = "1" C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AtlasVPN\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\AppUserModelId C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\PackageCode = "68D6C35BB1910104285DA6F477D4ACD8" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F899FC23AC6CCAF4EB24A3C549CC6F26\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3e5dba08-7ec3-cc88-1f18-0cf79ce7ade4}\LocalServer32 C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A
N/A N/A C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AtlasVPN-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 203F8C45225E572EEA8D70A4F6794444

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A2B9780F1B5C920FC6827C4BB187CBF6 E Global\MSI0000

C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe

"C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe"

C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe

"C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 159.185.200.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 shop.atlasvpn.com udp
US 104.22.35.79:443 shop.atlasvpn.com tcp
US 8.8.8.8:53 in.appcenter.ms udp
US 52.232.209.85:443 in.appcenter.ms tcp
US 52.232.209.85:443 in.appcenter.ms tcp
US 8.8.8.8:53 79.35.22.104.in-addr.arpa udp
US 8.8.8.8:53 85.209.232.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 91a813f3596d7488faa8b5fe7f60f8ea
SHA1 d83b9b46bd06cab97a78cb8e61e1a73dfb45af37
SHA256 d4c93810c82f7c3565f058add9d0b52e44f8bd9d68befc23e87f96ffb14cabda
SHA512 4e14cd39ecb1982c198908ded9df8869c1b9d2d1d065ced1174274587f6f0fe7dbd9bfc8a8627eaf2ad29b905a5420b5753b895d045a0472aa56b53f53282608

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 f63bd70c0841c95d9093aa0e30bd04a5
SHA1 8efe41947c4ae392ea62f87e40c9426262911857
SHA256 647370dc954f29363d2231eb873f1dfdd7ae5a2070794c233544aa34ca63d611
SHA512 49455800de06573fd49c44cd59088761652868ae93cb22f711103ecac703011c21cd4b9ee2c6f3c7ffe5c83c5e14f927b0e74bede0f5409b726cfea33508d39a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_70C7C5399E13EE2B17865233A7698176

MD5 f8a784ae449686a513e0c4e2584cb60a
SHA1 f706d94d99119052f1ed0af03895f24caa2e07fe
SHA256 883f1d78d771c47589eac13af88ce0ca404656fb132e7d44c6c9aba0a004c397
SHA512 62b116255d9a89dac549de52b245e189ee0510b0814a79faa4ca8993abe4b87bb3d1c9f2d95313faa9f718202e470a17ce350a545c99f3288d8d0700195bea10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_70C7C5399E13EE2B17865233A7698176

MD5 731bc0adc44dff65a52d85d9595ecd0b
SHA1 7ad622f5c17abc5d833eb50fda7f2f686a1c2f48
SHA256 8ebd2dd357edc0fd9d7b613b5331b6174ea91f642c5279a7d2402b5fc9bf36c2
SHA512 75db467a01408601ee294c7625591e1de3b021c3d33d014624a9bde7eef0fcef8966af3dbf02e1daeb0b736a4814e38255351124f527e7c85553773326c683f7

C:\Windows\Installer\MSI5270.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Windows\Installer\MSI5AD0.tmp

MD5 7a86ce1a899262dd3c1df656bff3fb2c
SHA1 33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256 b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512 421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

C:\Users\Admin\AppData\Local\Temp\Tmp5BC7.tmp

MD5 af36cad66920ea0fbbcd7ee8ad681dc6
SHA1 8bb9ce34d950ace8c610d1c67af5b7cad2b26e23
SHA256 c33e5e2472ed34576c889a27a46d90ca849a8f9dbf69a7ef6791ef826680f950
SHA512 b069e6fcb08b22031410d261d298b398501e78e81ea413cd842e95ddb030703f0292c58c76ce9144e4aa54a764d0a4e03c34c12986e3cea5021a65ac7b1b3433

C:\Windows\Installer\MSI6F74.tmp

MD5 4837bbfa20c65ac97910388f07d1785e
SHA1 e066a3d68c8a5c099633f22a32e22cb8c4f24d8c
SHA256 29b9f6167ea343f279c7ebafa18f8fba0fa8c3c21f9f33e7741452c856d45664
SHA512 91cade5a43fedce4c06e21cd68023ad13ecc18ddf34379544f8111569868980d3852e93d8f0ccbb013df317f9ee1ac97d9a16862878371ec2cb0fd51b3468037

C:\Program Files\AtlasVPN\Bin\AtlasVPN.exe

MD5 964d107dba331fed23aa470c17b5fc56
SHA1 f8352c6186a75f2000898ea1067f2f184874f12c
SHA256 3f2942dff00fabb722dddb25dbf08220135b2de08612e0d70befa641da6e3000
SHA512 7e372368a9f469a8212b1bea0889e94956cf1bb383ff5a0bce7beb9b7ce9e8dde9f08ae6946553e1a7373ed36a2120ca8ab21a761ae974d151584af0cff1107b

C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.exe

MD5 7230ebcb7408229b38e3701ac080ec6f
SHA1 305a0d692b496ce2a2f944341760e706e08d19a3
SHA256 6a77498528617c4e175b6fe3dc2150824a3ca402ec80b3ed9f962a42651b5eb3
SHA512 efe98c0fc88923d1bd8b91b03dc405dd68a35af4b5b4e38af055709456929d1e1e317fb67a86da260c121af764810f720ce3eb25a01751659653805631bb6f2f

C:\Program Files\AtlasVPN\Bin\hostfxr.dll

MD5 9559634b72c43481c212bf4d1e8d5db2
SHA1 60c2ad0b36ff63dc459f8f4d41f39d76b572c967
SHA256 d2ba2e9e265028993513b0830f515cf7fd6139965f9e40bac6338f9e2a53e7d1
SHA512 b0ea22c4761a6971e5c6a3329d8fb49a8fe5a37c3f09d945c589f59d7f6ca9d72f715f2098bcc1ff17c647cd7419c9347999b185b5551e77f5e426509a428034

C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.deps.json

MD5 a42c611b95071afa4389d300dbaa3815
SHA1 5780d725d5252ebdb796139ca7347230562a9d36
SHA256 daf5ffa62a414c28b36639ccecc4ba6c7fe7701d97c9635bbde4b81b870afd02
SHA512 614c089ec841a83b7d6fb2d2ff6f95314dd11acda23a0c58a127400e2d46084a1f3ff83630c081795b96b5917c950bd37791f27cc6a88d27aca710a7e66bc4cf

C:\Program Files\AtlasVPN\Bin\System.Private.CoreLib.dll

MD5 8d1ff4dbfbb56742076f90a2bc71985d
SHA1 df27d00e109fff431d640511a82bb91bf86fe374
SHA256 7cf2ba8d1b18f42b7da7b0ff5fc93740e959422e0e0dae4e374b2d4a2e5b5384
SHA512 d676549cd95b4ffad9c523fd4e63dbabd0ef8ebbdcf526e4acb1e24974dff50345792c4450846c1e6874c7fb92330e242f87cf323a403f7444131fcf5c9aa87b

C:\Program Files\AtlasVPN\Bin\mscorrc.dll

MD5 c3b3a1854f889814c12f6cc6da40b5aa
SHA1 553ad6cefa2348c71d6ba84b562a9c470631a0cc
SHA256 a25e7a71d8ede9ad4727b0a74c0cb1ca8a8a9f79e6f5e6b6a7d26f75b61c2141
SHA512 68d577858b28e057ef38f638a4983db6b6fb980d39f998536eff57623e8f87d99323ba3843eee22bfa356230366193827534eb0289fc484e438600d540b0039f

C:\Program Files\AtlasVPN\Bin\coreclr.dll

MD5 219d43e2ecc74c6d89b23b3533278e42
SHA1 dbe6a69160869f9541c2cddcb3e4c555fd61b21d
SHA256 6b15e3d195f0ba048703841f3a7ded4973e45eb4337ea3358f243165b9c9d8bc
SHA512 ce6bc498c7b86523ae902184773ed49e03932b2ebb4596583a6af037102605355759e55ad6d87708519ff924fa72805d16032838f06c8d848b7f5228580a8562

C:\Program Files\AtlasVPN\Bin\hostpolicy.dll

MD5 22e0f186b5b630a0988f01730b7c4e9b
SHA1 fcecdb4960db195b99028579a548cf1c20271410
SHA256 02a7a787b52e8804d4008677e532843141340e7132a90251982027420b30e87b
SHA512 0ba3bebf9e02ff60063df08c6f8dea995c5b60898ead08297a3d50e17d8dc7d9ca9e30d95ef81e1ca8a0a23f124c262be36644df419c185b5f27935762dd3781

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Hosting.Abstractions.dll

MD5 76f063d908a0651de1ed19dab6cbae88
SHA1 9805ba207ca12fb7bbd164f3999ecd050875c202
SHA256 c1819c835bd64ba2e55b38998f78556628e284e043ca1af466f2fc21f1597ad2
SHA512 b69a38e37e4b35e9602d6c20e3eb4abb7ba4b392a284b22e857f117f50ea9a1c09baa5663851c7dcaeb93ea95f2707b232ad6b106f072248c0a01f64a7f12161

C:\Program Files\AtlasVPN\Bin\netstandard.dll

MD5 30dca9c062efa8a31691efe3385f6e87
SHA1 8a62daa53b88b0b87043a10fcd6e84e7d348a591
SHA256 81fa3c2943d987608233928a96c3167de59fdd239e75f18e2d4ebd5907d8b357
SHA512 3a5b81faa6286f70baa2b80dd2d14a18b887951042039d653926e9d29ab658625f0d04d3830d11d45b73b4cf6830bb341265bc0db09580f12150c8aaae244ce2

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Logging.dll

MD5 bc2ffd86629d21e4156877b980318501
SHA1 63412c795b13ecb5680385c13b536849f7e7c582
SHA256 f7a667ce93dd33306aaa60f75061a9d9bd7f9358680968a3ceadebc2b29113f3
SHA512 90fb55e653cd77fb1993e228b48cb3da98fa45d65e40e88e6a86246514589b8a447460c81737b0ffdda74bfb5ce06c1a9764bef92f42d0cad74cc5914aa79f2e

C:\Program Files\AtlasVPN\Bin\System.ComponentModel.dll

MD5 e8fbac1e2ac141d99c85c8755d8ef48a
SHA1 63d84eec5778a1fc9b99e014a3fb30b15b9ea5b6
SHA256 58dd442c5b189056fcb9033c7e9d022a58028bcf1f0c240745f6afcc8e6fae0d
SHA512 85efc776cc113c884b24117f909989026443591afbba628318740287005eb50b8401d12a3044da68622257761aef32be687ed34eb9db7d9c4607d40cdda1a9f8

C:\Program Files\AtlasVPN\Bin\System.Runtime.InteropServices.dll

MD5 5bf2398f935183238f792aad6bb76905
SHA1 e5f3e420ddedf9a52484f23513f508e32e524e35
SHA256 f7ee44f2054383e86cdddc9bdbcc78725538ade9b676a61f062ca730c1d9de40
SHA512 88654fa6b23ef4cecbbca6e7c7b5217d163863e4c7e62e597c855314a652af96f754090d8778989beae62f4db0f256c12c8593190da09eb5da79ee6319c1df4a

C:\Program Files\AtlasVPN\Bin\System.Threading.dll

MD5 6f97d62798c209488efb1a1262e02c0a
SHA1 3acc2b2570ccde709819808015070321c36891d9
SHA256 356a5a0c308ed908779252f08b461ce8a68b2e111f994ffda7e560628270715d
SHA512 4c5a33448a951e1d50b21fcb648f0d0b63051594a2a7c170529d5fdcef601bde10a9c6192cbf7273a054c53d99215b66d5d8380c6d93fd6e2d38287ec60dfd0c

C:\Program Files\AtlasVPN\Bin\System.Diagnostics.DiagnosticSource.dll

MD5 cf10c9c63972c5c95e7eb3612762fb15
SHA1 c48f3ca57efee1e603dd257a515d91a380dc39bd
SHA256 6e21f54987bbb9ac7805da6d94ddca7d61b4f59b9a9663f738f7c59d1f84ba2d
SHA512 cfa8d64770efe296aa71cbe303e3d76b3ffaf87432281c010855a7979c9973942f690697d4b51daf6972eb32cb42b8cbe27e284e8235c3a35d13f409ebca3e88

C:\Program Files\AtlasVPN\Bin\Microsoft.Win32.Primitives.dll

MD5 4b5386234df977c229cb485374b357a7
SHA1 8e61b051c7e8e934ac818af8653c52955afed92c
SHA256 b6aa9a20d7c15bb62ed2f20561eb2ee6fa143512e09e714e3b4e00ef9d468b97
SHA512 19c5bcdd21941c9642f063e8ed23e88a5b6612cad11a5fe2fdcf740d2ab56fb20944c9ceb20f4cceded092f9c890b8dac766e2b2d57d092542caab3ebf8c3619

C:\Program Files\AtlasVPN\Bin\System.Memory.dll

MD5 e98a05eb7219dd4c5a09cbc0962759e4
SHA1 a55a15153f709380b6f4fbe0ae1e4773c607c418
SHA256 aede82dd7ee77314b1a491b1a9ca65c7cfcba7dc26bc8ea720b11063409441ba
SHA512 9b9e414190671be3222c538cc94c69b3a3c6b4e1a63b0039541afada0c18d5586a82dabd02638a58416262543aa7b6f730da198250456c716235e808f1b2c812

C:\Program Files\AtlasVPN\Bin\System.Runtime.InteropServices.RuntimeInformation.dll

MD5 a856ce9a5ea297ba02b34dfe37bfb9bc
SHA1 e0bd9431639a415d2315d33c1cf86bd4ab57563a
SHA256 7ce50398eea6f292389ec13b5e9e8ff5417669d27b38d0f82f15dc51ccedb569
SHA512 c719b7ee4f876a45be4878f66f7d16c44d0a32b234172e32316c75f350b2db2ea8dcd7181abf011a32976c058acdad51c1fa1c1c2a62bc1d0e610ed428aac048

C:\Program Files\AtlasVPN\Bin\System.ComponentModel.Primitives.dll

MD5 ae565ae84112eea16a60bb8e9c6e3c2f
SHA1 1c82eaf0b6e5c5e3d308c733f8a10a8333a59361
SHA256 9da3719f34fff3474eeaba9eab2a30ba53e9e0672980407b4ccec52f5dd6dbe8
SHA512 269ac24da2448540b08ae90be1affb2778b01c181edf6c91b82ea88f1f7bffcf260858359f6dd3c0ad7ba86c2eca5d670617dd45a7dd6bf6e85d22655283f010

memory/4048-516-0x00007FFFA0040000-0x00007FFFA053E000-memory.dmp

C:\Program Files\AtlasVPN\Bin\System.Diagnostics.Process.dll

MD5 b9835c96764bb5b2d246d0244620c451
SHA1 fd1dd65b58a1111f507115c6b9b13f9030afdbd5
SHA256 9dbd4b9df1dc1a41807143a45558f847415024e3e29297b2dfac9783495ad017
SHA512 52d9969a65044a05ad0413a2cc797d61307d807a5838fd45a5f53aaa83626a6517a6c416578374160623e6ae2b56c52804d0262c7368d9c9f5557406c5b6d2db

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.DependencyInjection.dll

MD5 9e6c9b146fdee01e0646dec2a800f243
SHA1 5a3efde449c3ec84a96bf78f156e819e7344218c
SHA256 0c2726556a69f9fa86c4beee8fed28fd59be0cc244c5bec739bc9cb473c12d14
SHA512 99088a11dd3ddf20a16a39a8eabd49a6b28f0131cd1f6c368f4a3281acd51f0cc11d2c1bf529544cabf0f611d07c32ad65f8bda6488856f8cb19f6e951fa8e31

C:\Program Files\AtlasVPN\Bin\System.Collections.dll

MD5 10603fba914f7f9d7478300b5ce4359a
SHA1 5beb8f6ee7e87c87ed921580f44f7f67235695d9
SHA256 262cc8ec5ebdb04f7352e60ebeb7a6e6a483db18d955c41265a5935f86d7e86b
SHA512 a96afc074a097b800e27518a953341cead8151becceffdcb440ac63a9f2c6794c502eeda1cc58b2a55f5d19461e55034be7eb94532d3d3ad23a4f6a3542ea552

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Configuration.Abstractions.dll

MD5 873e110bbc4ae372fa3793498d1d4bcd
SHA1 028234df7dd6ae16214db188cf5c36da6dd52b69
SHA256 b65434fdeea9d06813acdc6dfe247caf849a7af0398f4d8283cbd593aef9ffb3
SHA512 0a443743c83acd398f9e380a598b9dd593c55c1e2f1e41f2b8259aca7a58af2511a737aaff7d13fcf843fd70dc42b5419364a6608506f1cc2bc8f0b08598be8e

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 2a38e7511ab15677b1cbeed422945807
SHA1 21eabf2071a7f68e6befa3599afff37f8cf4e459
SHA256 6803c4afe8c332c32d36718a8441bd52595ef5fdb36d38ccb31db9606fa5f358
SHA512 1d4beb0d834ec82ac67e1d4dacaf4301bfbcbdcb1317db187926881f2180bf5994b471f3378e915d193457c50d3abb7d44be39955a9ae8dbc3138c21f5e351d5

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Hosting.WindowsServices.dll

MD5 958055384e0bd351a40e015407f020a3
SHA1 88fa04892caca08a8146ded2d8566eb4b7cd42bd
SHA256 de631c863a6cd73ee6801e8ec435f42cc2fef3213840c59c2821a933d177dd06
SHA512 a7a25e12563007404211bc882e001a324a38850d8ff6a7355b304d6eb7c7f1141cd50c691e1948c2f9680ad5b9c581895bf587ce3c1b5502be22c2cfb67fba40

C:\Program Files\AtlasVPN\Bin\Microsoft.Extensions.Hosting.dll

MD5 e71c0ae43b88404aa97acb5e3dc5e10a
SHA1 b56fbae1d44d6d0aa82157000c8c7483f623de2c
SHA256 9ed8aa21d7bcc20587fc583e25c42cdeb0d739276f30873219b5391f24e48c79
SHA512 2f546219e834b10bfdeafff3c3d904a2cf97c17987a568e36d7e21149ac79316a0fbcf5e963779e7fe8b8eb277c300508548c30c6492381951e0b80752a4b674

C:\Program Files\AtlasVPN\Bin\System.Runtime.dll

MD5 4072097ef4af2a79fa1ad21cd9060488
SHA1 a801ec968dcbb03a8c47f2cf8833d477417a000a
SHA256 49f1f71a99aac0f1f9695bac37e501b4c91eea7dbd8a1896b8fa6d765991b246
SHA512 7c7e1dc531b673cb46bb5dc938496d326d1f4c65a8498293ea49be6da79c77bcbe90be9b9febf2583f0b36cbbc7c0975075543674970deed3b4258cfd8256c5d

C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.dll

MD5 0df08decc25a91512bc70d81ac924958
SHA1 5d46505e14902af75fedbf1abbc27110b5ce9016
SHA256 30f9f78cc7297d1e532728333879dc26bcc994a2e8d59e61c716b4d5cb3285b9
SHA512 57bfec68e9b73ace7a2155431572bde71396815148294134cf29fb8e031c1be36dce93c4fc48b0c882242553a96334788139a46bdcf673b484b63910ba183238

C:\Program Files\AtlasVPN\Bin\clrjit.dll

MD5 b582610f6f2238ad2f870932442d55e7
SHA1 ec0f039f250b3c41ec7367ecd11ff9f7c3af577b
SHA256 33d1d5e413c0871c985d37e827f4620148d2c1e6d8c13960ad455b32c3d5e65e
SHA512 52a3be870492c35015b32f03b1147d3350e53552d44c73de2e871d4f8e1eac5afc85a649d901010582eb8268ece43b76ec047eb36c91e758080a35ac69efea4f

C:\Program Files\AtlasVPN\Bin\AtlasVPN.Worker.runtimeconfig.json

MD5 f7906ead35c5f8c7a7dfcd41d5ff7a1c
SHA1 e752a36622c3af57aaf0ee16b83472520b78891c
SHA256 a4eaf0e7d87dcc9be4223dd48a1271803168d913a4daf48ccc87741b15c8cb6e
SHA512 ed2e4a178b3af62a60f97dd30954ddb04a7ebb35769ab470f6625abd18bfe75f26a1593989e5c3f3e8c09df5e87681a2494b954db648db758a4ce9a87b31145d

C:\Config.Msi\e584d9f.rbs

MD5 bea12e9de6e97f2de33ab59cfc27e989
SHA1 3a98d60932474d42cb898bb5506b1cc24966ed4d
SHA256 6d2be05bd889c67dbd94ac052ad1aff1e705beebc31ad6b5320b405cd376132b
SHA512 34f65e2d3cc391a21cb45d832d39e41f17124cddc878c9a3599a6b0c0f7669c97492d5d58b6105df4474d399f1364fcd25bdb1f651ef76c632c6f01d6a445305

C:\Windows\Installer\e584d9e.msi

MD5 04cc95b57c3905f853003fd1ce01ac8e
SHA1 4cd11a3dc0f85c8f68019e311c34c065fcda3638
SHA256 a43f06f6e4b469bb80aa085bf7940b277c60d025ad16716f5bf88620caeb46e2
SHA512 1fc25a2e2e31e788ede5df877b5674784ffefc846d250788e5d012c949e41df50299d540955663f500ae42d1af78ef6f65b0ff8edb8cbdbd48dd1079567f64d4

memory/4840-532-0x00007FFFA0040000-0x00007FFFA053E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpCAAE.tmp

MD5 379a301592736712c9a60676c50cf19b
SHA1 c103790503bf8c2ff3f119adee027ebb429b9d21
SHA256 cc7400692bd90e1b5fc44e11c8dd7c788cbb462f52ea3f3decb579e4d51eb268
SHA512 dec25a31f2930eb575a43e654c29f170c261c1c4516767c0e71cc172ad6ad115914fb58d9cd79f681ff3d7c6baa6b7c0d6de99de09d7582c9807ae436f15572f

C:\Users\Admin\AppData\Local\AtlasVPN\AtlasVPN_StrongName_sk5dvgpwisbm4egbpxgjauge0zc5yymi\03jb5nuc.newcfg

MD5 b856b1c2833dae5e4512d372feddf831
SHA1 d1bb66d06db43f93406aeac39b7cd35855ea6c9a
SHA256 5faf9f8bfa96c8cdd25fa2869438f9daf133b5df116a8b77ce85d425d587af91
SHA512 d6eb1817b5ed63f8059bd28088a5e075c5cd3b498aa92117fa90225bea92552e087f0f2032c319ebab5510a3f256b7ffe3a19d898c3ba824a3dfa61165498b42

C:\Users\Admin\AppData\Local\AtlasVPN\AtlasVPN_StrongName_sk5dvgpwisbm4egbpxgjauge0zc5yymi\ygv0zplb.newcfg

MD5 b7d65ad3499547dc5ca366b07ce19896
SHA1 9531d07706504861b2f6c92504ab1a498cea6c6b
SHA256 9b091cad17cbab97f6a5ffdb8ff11ed540820fa50542335185ffce1fc33aa0e9
SHA512 a3e3252fe4d128a817167d72a2b857d602329b036b7b42ac34fe8f39d562380d1b84e8df23f762de3702b5d7e55d6a107d6fad50b138e73b78aba1e434783aec

C:\Users\Admin\AppData\Local\AtlasVPN\AtlasVPN_StrongName_sk5dvgpwisbm4egbpxgjauge0zc5yymi\AppCenter.config

MD5 0fe1441adc7420783954d40eca829cb4
SHA1 a1a33f73716f5f977473743035f757a3d03da690
SHA256 dfcd24add844cc97521c5123f2b2ef51ac340a91013b532e43a7cd2f7eaea049
SHA512 fd9dcaee4c9bab8cbb0a1fd4b3fac663b99aaa87542a5b94ca033402450714da023b8a0bfbb9cf8276090417dbfdd8dfecfd2fae26c37e37c57497bbbbb7d894

memory/4048-591-0x00007FFFA0040000-0x00007FFFA053E000-memory.dmp

memory/4840-594-0x00007FFFA0040000-0x00007FFFA053E000-memory.dmp