Analysis

  • max time kernel
    62s
  • max time network
    66s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-06-2024 17:50

General

  • Target

    fasttracker-6.2-installer_1wy-uW1.exe

  • Size

    1.7MB

  • MD5

    3e65343420cce15a318c4c03ef2333ca

  • SHA1

    196a7eae883c368a9410e702e064cbb5a50ca8a2

  • SHA256

    1a3c8cea2b21f95ce83d6e8bb12e91d92ae1a3b53300c4998ed55905ce5de681

  • SHA512

    b1124afe85280e19f27b6f8d39a4e3cc9c0a3fe924beacd424772a9828bcc9ad4181063d3f2dfeee8e195e1c93771bffb12863272a6793159b8550fd4185135d

  • SSDEEP

    24576:d7FUDowAyrTVE3U5F//5bOyUg3nj6YQB36gMoKMzSZ8enwy1cYy2rUk+RN:dBuZrEU8PInj6P3Z26elg2rUZN

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops file in Drivers directory 4 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe
    "C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp" /SL5="$80236,837551,832512,C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe
        "C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe" -ip:"dui=15439030-dbba-449d-b460-326ebc585651&dit=20240624175017&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe
          "C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe" /silent
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe
            .\UnifiedStub-installer.exe /silent
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4372
            • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
              "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
              6⤵
              • Executes dropped EXE
              PID:1376
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
              6⤵
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:3732
              • C:\Windows\system32\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                7⤵
                • Checks processor information in registry
                • Suspicious use of WriteProcessMemory
                PID:2120
                • C:\Windows\System32\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  8⤵
                    PID:756
              • C:\Windows\system32\wevtutil.exe
                "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4768
              • C:\Windows\SYSTEM32\fltmc.exe
                "fltmc.exe" load rsKernelEngine
                6⤵
                • Suspicious behavior: LoadsDriver
                • Suspicious use of AdjustPrivilegeToken
                PID:5204
              • C:\Windows\system32\wevtutil.exe
                "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3536
              • C:\Program Files\ReasonLabs\EPP\rsWSC.exe
                "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Modifies system certificate store
                • Suspicious use of AdjustPrivilegeToken
                PID:1228
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1668
          3⤵
          • Program crash
          PID:1516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1468
          3⤵
          • Program crash
          PID:1972
    • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
      1⤵
      • Executes dropped EXE
      PID:1180
    • C:\Program Files\ReasonLabs\EPP\rsWSC.exe
      "C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:6464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4104 -ip 4104
      1⤵
        PID:3852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4104 -ip 4104
        1⤵
          PID:1944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

          Filesize

          336KB

          MD5

          747e9fea893d38221e003fff69ca1581

          SHA1

          071a0dbf2fca5a685aaa459c364ed1db2113b16d

          SHA256

          28957f90652e842e5705125b10b56be5b53f818be212e5c2c764fb4491c3227a

          SHA512

          eda637a69b128c3f46e190945abee5fb632d5460ca482273266138088b2e66ed42c76bade8724eda37389129555c07740c5e58548cb55400218d157e34042d5f

        • C:\Program Files\ReasonLabs\EPP\mc.dll

          Filesize

          1.1MB

          MD5

          eaeca6b0b5d667fb2eb511bc10efd72c

          SHA1

          65656fb5325d9142e6405bb9cc3bfc0b91fece99

          SHA256

          f62dfbfd9c53204a6217407279f22bfc55b46258a27cf5198357e5e1cba72a43

          SHA512

          0e06e8ccfa3e765d8b6f4d1c521b0ae06ff174f3a885e440f99787d5760f8646b130bdb9e9f2f5db5f7281873862e0a874b4b7232095637326b3079a531920e2

        • C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

          Filesize

          350KB

          MD5

          1c54a439d22e2dd58798712bdd1f2997

          SHA1

          33e4ab63aafa949c9bd9f1c4cd8c9381b4a97c64

          SHA256

          c0ce2aafdbf664383f6b6403e0c73a6a311733a1d3180baa4314c31bc2a62980

          SHA512

          89857fac027a2ad88499fbc8db9e491719814afc1bfdc8fa593a4516573212f86d598878b2757c541a3fe8d469c7c255b7c14bf25069035d269cc93b2bbfa128

        • C:\Program Files\ReasonLabs\EPP\rsEngine.config

          Filesize

          5KB

          MD5

          7d5bfa735b37c024084376ffc80265ab

          SHA1

          bc174aed63f19aee2eaa7356e2a87faf7d00834e

          SHA256

          6bf70561c66fe78df0d7453ce789b0f176a9bc229b2997821a24904c733d1a74

          SHA512

          5441f765d32da2ba20e9440177619abb91cf7c75d004616cf3103b5b864ab7f012140d7a0d48ffef7998af5b813b15eb6f56778a5c77a7adc5e16a4dbadf9571

        • C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

          Filesize

          370B

          MD5

          b2ec2559e28da042f6baa8d4c4822ad5

          SHA1

          3bda8d045c2f8a6daeb7b59bf52295d5107bf819

          SHA256

          115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

          SHA512

          11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

        • C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

          Filesize

          606B

          MD5

          43fbbd79c6a85b1dfb782c199ff1f0e7

          SHA1

          cad46a3de56cd064e32b79c07ced5abec6bc1543

          SHA256

          19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

          SHA512

          79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

        • C:\Program Files\ReasonLabs\EPP\rsWSC.exe

          Filesize

          202KB

          MD5

          d439318e84314e7106b12f7fbf319926

          SHA1

          cb75082c5f9c370dd37c5740c54356b779ecf6f6

          SHA256

          982447e4c68bfef3183968a0e3f46d69821183834354da837cdf75659680919f

          SHA512

          d24fa01cbfe028e9d71e209ee3340ea33322fd8130bd95b37459851a0aea8e03768f999b44bf1f1344fd52ea0c0fb805ab4ad309f09b02d49daa0e302566f0b4

        • C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

          Filesize

          2.2MB

          MD5

          09cb0f4f077adc38f8af8550eed69319

          SHA1

          c97cb066a313df0c9384782924c15eb50ad5e1a7

          SHA256

          af4cc3bfebb4f886c77ae9140c3c47d7274fb720db31f16240f42d79050101dc

          SHA512

          bca50e8b975789a17faa2114ce2c66955cf7bd0d6cbbefe14e8416031e2f352fce542521bf545d64b270034980fd58a99c5ba690a9cccc018f44c8785b2fd69c

        • C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

          Filesize

          2KB

          MD5

          e8ef8570898c8ed883b4f9354d8207ae

          SHA1

          5cc645ef9926fd6a3e85dbc87d62e7d62ab8246d

          SHA256

          edc8579dea9faf89275f0a0babea442ed1c6dcc7b4f436424e6e495c6805d988

          SHA512

          971dd20773288c7d68fb19b39f9f5ed4af15868ba564814199d149c32f6e16f1fd3da05de0f3c2ada02c0f3d1ff665b1b7d13ce91d2164e01b77ce1a125de397

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\ArchiveUtilityx64.dll

          Filesize

          154KB

          MD5

          c70238bd9fb1a0b38f50a30be7623eb7

          SHA1

          17b1452d783ed9fae8ff00f1290498c397810d45

          SHA256

          88fb2446d4eac42a41036354006afadfca5acd38a0811110f7337dc5ec434884

          SHA512

          dd77e5c5cf0bf76ba480eb4682c965d0030171a7b7a165a6d1c3ba49895bc13388d17ddbb0fe3ac5d47b3d7d8110942c0d5b40e2fe3df0a022e051696ec4feb6

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\Microsoft.Win32.TaskScheduler.dll

          Filesize

          340KB

          MD5

          87d7fb0770406bc9b4dc292fa9e1e116

          SHA1

          6c2d9d5e290df29cf4d95a4564da541489a92511

          SHA256

          aaeb1eacbdaeb5425fd4b5c28ce2fd3714f065756664fa9f812afdc367fbbb46

          SHA512

          25f7c875899c1f0b67f1ecee82fe436b54c9a615f3e26a6bec6233eb37f27ca09ae5ce7cf3df9c3902207e1d5ddd394be21a7b20608adb0f730128be978bec9b

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe

          Filesize

          1.1MB

          MD5

          c7fe1eb6a82b9ffaaf8dca0d86def7ca

          SHA1

          3cd3d6592bbe9c06d51589e483cce814bab095ee

          SHA256

          61d225eefb7d7af3519a7e251217a7f803a07a6ddf42c278417c140b15d04b0b

          SHA512

          348a48b41c2978e48ddbeb8b46ad63ef7dde805a5998f1730594899792462762a9eee6e4fe474389923d6b995eca6518c58563f9d1765087b7ac05ce2d91c096

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\1442ae55\79e7fd0c_5fc6da01\rsAtom.DLL

          Filesize

          158KB

          MD5

          ff00eb531015f056aa090d84c51cbeb5

          SHA1

          3eefa935448df905cdb9bbc8caf64e681185d638

          SHA256

          3ad34654b29f9b72c110a1e02f8b49546603a16175bb78e3635ab767dcc4c81c

          SHA512

          1e2c0bd5650717d3318b06ab22c2371ebbe734fef90b220ecdc14b79caa64022c166c799c7e5657ac0523ec9706424a67237942897feee775df2bdc98640afdb

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\1f71dab3\b1ab020d_5fc6da01\rsLogger.DLL

          Filesize

          178KB

          MD5

          bdf6337eef10d89ead58c97c4cc86eac

          SHA1

          d7ec026d4587bce1efd0fbd9d1d0099f6410b8e4

          SHA256

          247f904657ae110f6158598725de7de006318822e2f4739c6dc3407347a839cf

          SHA512

          185da0bb41b85192c7e79537d8796a8a56b0314a2f90a6a9f1fb9146bd673050e30315b4a7f1f50d090962fed334a76a49932e392ac44d3857d6997998f9b0cf

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\ac29aa62\b1ab020d_5fc6da01\rsJSON.DLL

          Filesize

          220KB

          MD5

          2ec13fba08ff20ac219f762509a766ff

          SHA1

          7a62fda6e3ca22d1edd181eca1c1a090accd1b28

          SHA256

          a66998441cf5a6be98d78abe2d2f3121012b7b30a45ffc9111dbd812c9a6d795

          SHA512

          86f2e480ef397ac48e376115f65c06d9b41e5daae2d98e27480cadb13474d86fa3acea20f9ced640344b3c6d3a5f4bc3072b8b529e55c52ac793da9d2c09dbff

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\e1e52707\b1ab020d_5fc6da01\rsServiceController.DLL

          Filesize

          174KB

          MD5

          9da18dc90cdc783e4d0c503949f25375

          SHA1

          ed0be1a19eb6391abe073901d6b54ef8292418a4

          SHA256

          4e7c131ee4c738212d3a6944543ae9a12c4edbbc5a892b39dc070292ad9fac47

          SHA512

          9f151d9d36f88aa01c9161874957ebd0a26735c8cd2eb5e7bd96930aecc6e556af56c644e84910a3e6b8aa644d4d63871f23ffe7fb48e7fd7c23e5bb3d1c0f5f

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsAtom.dll

          Filesize

          156KB

          MD5

          f5cf4f3e8deddc2bf3967b6bff3e4499

          SHA1

          0b236042602a645c5068f44f8fcbcc000c673bfe

          SHA256

          9d31024a76dcad5e2b39810dff530450ee5a1b3ecbc08c72523e6e7ea7365a0b

          SHA512

          48905a9ff4a2ec31a605030485925a8048e7b79ad3319391bc248f8f022813801d82eb2ff9900ebcb82812f16d89fdff767efa3d087303df07c6c66d2dcb2473

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsJSON.dll

          Filesize

          217KB

          MD5

          927934736c03a05209cb3dcc575daf6a

          SHA1

          a95562897311122bb451791d6e4749bf49d8275f

          SHA256

          589c228e22dab9b848a9bd91292394e3bef327d16b4c8fdd1cc37133eb7d2da7

          SHA512

          12d4a116aee39eb53a6be1078d4f56f0ebd9d88b8777c7bd5c0a549ab5cff1db7f963914552ef0a68ff1096b1e1dc0f378f2d7e03ff97d2850ca6b766c4d6683

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsLogger.dll

          Filesize

          176KB

          MD5

          f55948a2538a1ab3f6edfeefba1a68ad

          SHA1

          a0f4827983f1bf05da9825007b922c9f4d0b2920

          SHA256

          de487eda80e7f3bce9cd553bc2a766985e169c3a2cae9e31730644b8a2a4ad26

          SHA512

          e9b52a9f90baecb922c23df9c6925b231827b8a953479e13f098d5e2c0dabd67263eeeced9a304a80b597010b863055f16196e0923922fef2a63eb000cff04c9

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsStubLib.dll

          Filesize

          255KB

          MD5

          fa4e3d9b299da1abc5f33f1fb00bfa4f

          SHA1

          9919b46034b9eff849af8b34bc48aa39fb5b6386

          SHA256

          9631939542e366730a9284a63f1d0d5459c77ec0b3d94de41196f719fc642a96

          SHA512

          d21cf55d6b537ef9882eacd737e153812c0990e6bdea44f5352dfe0b1320e530f89f150662e88db63bedf7f691a11d89f432a3c32c8a14d1eb5fc99387420680

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsSyncSvc.exe

          Filesize

          795KB

          MD5

          cc7167823d2d6d25e121fc437ae6a596

          SHA1

          559c334cd3986879947653b7b37e139e0c3c6262

          SHA256

          6138d9ea038014b293dac1c8fde8c0d051c0435c72cd6e7df08b2f095b27d916

          SHA512

          d4945c528e4687af03b40c27f29b3cbf1a8d1daf0ee7de10cd0cb19288b7bc47fae979e1462b3fa03692bf67da51ab6fa562eb0e30b73e55828f3735bbfffa48

        • C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\uninstall-epp.exe

          Filesize

          324KB

          MD5

          8157d03d4cd74d7df9f49555a04f4272

          SHA1

          eae3dad1a3794c884fae0d92b101f55393153f4e

          SHA256

          cdf775b4d83864b071dbcfeed6d5da930a9f065919d195bb801b6ffaf9645b74

          SHA512

          64a764068810a49a8d3191bc534cd6d7031e636ae306d2204af478b35d102012d8c7e502ed31af88280689012dc8e6afd3f7b2a1fe1e25da6142388713b67fa7

        • C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\RAV_Cross.png

          Filesize

          56KB

          MD5

          4167c79312b27c8002cbeea023fe8cb5

          SHA1

          fda8a34c9eba906993a336d01557801a68ac6681

          SHA256

          c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8

          SHA512

          4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

        • C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\WebAdvisor.png

          Filesize

          46KB

          MD5

          5fd73821f3f097d177009d88dfd33605

          SHA1

          1bacbbfe59727fa26ffa261fb8002f4b70a7e653

          SHA256

          a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba

          SHA512

          1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

        • C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe

          Filesize

          32KB

          MD5

          8e3d737cde4844f38b5e736941d2eaf4

          SHA1

          dccb1cbebaffc5c13e78c2d89d1c8b43a514a740

          SHA256

          0f531e875adea8a245a17c0dbcad17e7b713034bac9a82d0f30a581935593746

          SHA512

          6b386ee9949783ad6b2fbe79e8f7baac62fd67cda9bff15093d88843ab7216cf091831051531ee7dd0c98ea5f76708c514e1fb7a268b5132b973b58c14fdb937

        • C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\mainlogo.jpg

          Filesize

          2KB

          MD5

          95b6b60effa572b1486e71907a11278b

          SHA1

          25952d54f4b515bfcd981b9d78ce466442345e1d

          SHA256

          262bd6a50d8d2be0c6412e0dc51620d1e90c72d9ad381d41456e59fbb9001fd8

          SHA512

          13f663fc4177697b3d74567a4f203fd47bc9d3fed41405e37280670f35bca389cc7864e039ba8a34719909735a088dd8b2a6b114285a224230b65e487cdb509a

        • C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp

          Filesize

          3.1MB

          MD5

          4c1e527a47de5b237d85f519b6748983

          SHA1

          0a713b5db112cd59d5e63636bbcdf4aeede6d9bb

          SHA256

          982523e61fa4bfa26ca4fb08e797fbe2b30e5c44edf2c5d9df64bf08ed88a37a

          SHA512

          161d392221d74331b461e39d981af79ff554733bfee086ae5feef1ecd79633dd25a4b107c16262718b665b225c57316876c7cc77238048544718c9d6f620d51f

        • C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe

          Filesize

          2.3MB

          MD5

          bc5548e67a82cdb750999c3d063d4447

          SHA1

          2c75e8df3e99271cc72bbd604fdcf5093e6a4094

          SHA256

          39e812b4d3b37f017228a9347aba4b13592267f521751d7ac4f6c692f1e9804e

          SHA512

          930d26dd6caa502b7310accb17fdc16ffcb36b1d49ee624a1802fde50b6e8ef13f3e86ff02af014c2962a4a2e58b74cbb9b8f2471493c45bbc0655d56ba88922

        • C:\Users\Admin\Downloads\fasttracker-6.2-installer.exe

          Filesize

          285KB

          MD5

          d630ca803a0c67a86e2e507e039c83c0

          SHA1

          d09d1413eb10922c78053055c6831c339889f403

          SHA256

          6e0b53904ddce7f3e73371bbcf014983f9d4d2c688af191fd22d03faba3e1a61

          SHA512

          8b23e6149e9e069c8c349ec77bba692cd83b37c0066492e04641776f956f32ad6641ed070901e92392ef6831fc7677a814e5de114297049406ddabb546c160fd

        • C:\Windows\System32\drivers\rsElam.sys

          Filesize

          19KB

          MD5

          8129c96d6ebdaebbe771ee034555bf8f

          SHA1

          9b41fb541a273086d3eef0ba4149f88022efbaff

          SHA256

          8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

          SHA512

          ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

        • memory/1228-2359-0x000002672AB80000-0x000002672ABAE000-memory.dmp

          Filesize

          184KB

        • memory/1228-2358-0x000002672AB80000-0x000002672ABAE000-memory.dmp

          Filesize

          184KB

        • memory/1228-2372-0x000002672C7D0000-0x000002672C7E2000-memory.dmp

          Filesize

          72KB

        • memory/1228-2373-0x000002672C830000-0x000002672C86C000-memory.dmp

          Filesize

          240KB

        • memory/3608-51-0x000001C3B86A0000-0x000001C3B8BC8000-memory.dmp

          Filesize

          5.2MB

        • memory/3608-50-0x00007FF864593000-0x00007FF864595000-memory.dmp

          Filesize

          8KB

        • memory/3608-49-0x000001C39DCB0000-0x000001C39DCB8000-memory.dmp

          Filesize

          32KB

        • memory/4104-31-0x0000000004330000-0x0000000004470000-memory.dmp

          Filesize

          1.2MB

        • memory/4104-218-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4104-217-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4104-63-0x0000000004330000-0x0000000004470000-memory.dmp

          Filesize

          1.2MB

        • memory/4104-32-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4104-27-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4104-26-0x0000000004330000-0x0000000004470000-memory.dmp

          Filesize

          1.2MB

        • memory/4104-20-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4104-19-0x0000000004330000-0x0000000004470000-memory.dmp

          Filesize

          1.2MB

        • memory/4104-6-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4104-2419-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/4372-715-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-2291-0x00000231BA720000-0x00000231BA75A000-memory.dmp

          Filesize

          232KB

        • memory/4372-705-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-703-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-702-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-699-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-697-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-695-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-693-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-689-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-687-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-685-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-681-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-679-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-677-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-675-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-673-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-669-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-667-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-709-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-691-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-666-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-711-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-707-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-2302-0x00000231BA7A0000-0x00000231BA7D0000-memory.dmp

          Filesize

          192KB

        • memory/4372-713-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-2314-0x00000231BA7A0000-0x00000231BA7CA000-memory.dmp

          Filesize

          168KB

        • memory/4372-188-0x000002319EF90000-0x000002319F0A0000-memory.dmp

          Filesize

          1.1MB

        • memory/4372-717-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-2327-0x00000231BA940000-0x00000231BA96E000-memory.dmp

          Filesize

          184KB

        • memory/4372-683-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-671-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

          Filesize

          340KB

        • memory/4372-665-0x00000231BA6C0000-0x00000231BA716000-memory.dmp

          Filesize

          344KB

        • memory/4372-201-0x00000231BA8E0000-0x00000231BA938000-memory.dmp

          Filesize

          352KB

        • memory/4372-196-0x00000231BA140000-0x00000231BA16A000-memory.dmp

          Filesize

          168KB

        • memory/4372-194-0x00000231BA180000-0x00000231BA1BA000-memory.dmp

          Filesize

          232KB

        • memory/4372-192-0x000002319F4F0000-0x000002319F520000-memory.dmp

          Filesize

          192KB

        • memory/4372-190-0x00000231A0E20000-0x00000231A0E62000-memory.dmp

          Filesize

          264KB

        • memory/4500-0-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/4500-21-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/4500-2-0x0000000000401000-0x00000000004B7000-memory.dmp

          Filesize

          728KB

        • memory/6464-2394-0x00000240FB870000-0x00000240FBBD6000-memory.dmp

          Filesize

          3.4MB

        • memory/6464-2395-0x00000240FB500000-0x00000240FB67C000-memory.dmp

          Filesize

          1.5MB

        • memory/6464-2396-0x00000240E2C00000-0x00000240E2C1A000-memory.dmp

          Filesize

          104KB

        • memory/6464-2397-0x00000240E2C50000-0x00000240E2C72000-memory.dmp

          Filesize

          136KB