2db131a19b56e70ea942cc12d0ce7732c20a27284f1e44c25e7be8b164e6bcfd

Analysis

max time kernel
124s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe
Size

4.6MB
MD5

e06b042633f6a51515699ab3175e585a
SHA1

918e691020ce6dd6ae3275a0c468fc80986cbf25
SHA256

485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947
SHA512

7bb3b6d2f8833f373e023c558107359db43f10dc874ff42db2e7ec9f14f6220a20cded68bb68dd29a319c26e79ae4e681e566cf707d31e23f36d93878fe0cba4

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET8C77.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET8C77.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Executes dropped EXE 5 IoCs

Processes:

openvpn-2.4.6-install.exetap-windows.exetapinstall.exetapinstall.exeopenvpnserv.exe

pid process

2236 openvpn-2.4.6-install.exe
2356 tap-windows.exe
2412 tapinstall.exe
2460 tapinstall.exe
2676 openvpnserv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2236	openvpn-2.4.6-install.exe
2356	tap-windows.exe
2412	tapinstall.exe
2460	tapinstall.exe
2676	openvpnserv.exe

Loads dropped DLL 49 IoCs

Processes:

MsiExec.exeopenvpn-2.4.6-install.exetap-windows.exe

pid	process
2108	MsiExec.exe
2108	MsiExec.exe
2108	MsiExec.exe
2108	MsiExec.exe
2108	MsiExec.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2356	tap-windows.exe
2356	tap-windows.exe
2356	tap-windows.exe
2356	tap-windows.exe
2356	tap-windows.exe
2356	tap-windows.exe
2356	tap-windows.exe
2356	tap-windows.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
460
460
2108	MsiExec.exe
1328
1328
1328
1328
2108	MsiExec.exe
1328
1328
1328
1328

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Program Files\OpenVPN\bin\openvpn.exe	js

Drops file in System32 directory 38 IoCs

Processes:

DrvInst.exeDrvInst.exePnPutil.exetapinstall.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\SET849C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_7b2f8786a9ddb778\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\SET848B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}\SET1E7A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\SET848B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\SET84AC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}\SET1E7A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_7b2f8786a9ddb778\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	PnPutil.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}\SET1E79.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\SET849C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_7b2f8786a9ddb778\OemVista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	PnPutil.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}\SET1E79.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	PnPutil.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f2f30a6-05f7-416d-d1a5-57451dc74e1f}\SET84AC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0954cf50-0571-6175-1c67-912afcf38827}\OemVista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe

Drops file in Program Files directory 30 IoCs

Processes:

openvpn-2.4.6-install.exetap-windows.execmd.exe

description	ioc	process
File created	C:\Program Files\OpenVPN\config\README.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\log\README.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\Uninstall.exe	tap-windows.exe
File created	C:\Program Files\OpenVPN\sample-config\server.ovpn	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\license.txt	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\icon.ico	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv2.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\bin\tapinstall.exe	tap-windows.exe
File created	C:\Program Files\TAP-Windows\driver\OemVista.inf	tap-windows.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.cat	tap-windows.exe
File created	C:\Program Files\OpenVPN\sample-config\sample.ovpn	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\Uninstall.exe	openvpn-2.4.6-install.exe
File opened for modification	C:\Program Files\OpenVPN\config\grad.ovpn	cmd.exe
File created	C:\Program Files\OpenVPN\doc\INSTALL-win32.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-gui.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openssl.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\doc\license.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\sample-config\client.ovpn	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\bin\deltapall.bat	tap-windows.exe
File created	C:\Program Files\OpenVPN\doc\openvpn.8.html	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.sys	tap-windows.exe
File created	C:\Program Files\TAP-Windows\bin\addtap.bat	tap-windows.exe
File created	C:\Program Files\OpenVPN\icon.ico	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openvpn.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\liblzo2-2.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\config\grad.ovpn	cmd.exe

Drops file in Windows directory 34 IoCs

Processes:

PnPutil.exeDrvInst.exemsiexec.exeDrvInst.exetapinstall.exeDrvInst.exeDrvInst.exeDrvInst.exeexpand.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	PnPutil.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7446e1.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI937D.tmp	msiexec.exe
File created	C:\Windows\Installer\f7446e3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7446e1.ipi	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	PnPutil.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\f7446e0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSI944A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI4902.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4912.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7446e0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSI50C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe

NSIS installer 13 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\openvpn.msi	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files.cab	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

572 taskkill.exe

pid	process
572	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\ForegroundLockTimeout = "200000"	MsiExec.exe

Modifies data under HKEY_USERS 251 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe

Modifies registry class 15 IoCs

Processes:

openvpn-2.4.6-install.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file"	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\""	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "open"	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\icon.ico,0"	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile"	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File"	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "notepad.exe \"%1\""	openvpn-2.4.6-install.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1784 PING.EXE
3012 PING.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

msiexec.exeopenvpn-2.4.6-install.exe

pid process

1220 msiexec.exe
1220 msiexec.exe
2236 openvpn-2.4.6-install.exe
2236 openvpn-2.4.6-install.exe
2236 openvpn-2.4.6-install.exe

pid	process
1784	PING.EXE
3012	PING.EXE

pid	process
1220	msiexec.exe
1220	msiexec.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe
2236	openvpn-2.4.6-install.exe

Suspicious use of AdjustPrivilegeToken 176 IoCs

Processes:

taskkill.exePnPutil.exeDrvInst.exevssvc.exeDrvInst.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe
Token: SeBackupPrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1380	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	1648	DrvInst.exe
Token: SeLoadDriverPrivilege	1648	DrvInst.exe
Token: SeLoadDriverPrivilege	1648	DrvInst.exe
Token: SeLoadDriverPrivilege	1648	DrvInst.exe
Token: SeRestorePrivilege	668	PnPutil.exe
Token: SeShutdownPrivilege	1776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeSecurityPrivilege	1220	msiexec.exe
Token: SeCreateTokenPrivilege	1776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1776	msiexec.exe
Token: SeLockMemoryPrivilege	1776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1776	msiexec.exe
Token: SeMachineAccountPrivilege	1776	msiexec.exe
Token: SeTcbPrivilege	1776	msiexec.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeLoadDriverPrivilege	1776	msiexec.exe
Token: SeSystemProfilePrivilege	1776	msiexec.exe
Token: SeSystemtimePrivilege	1776	msiexec.exe
Token: SeProfSingleProcessPrivilege	1776	msiexec.exe
Token: SeIncBasePriorityPrivilege	1776	msiexec.exe
Token: SeCreatePagefilePrivilege	1776	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1776 msiexec.exe
1776 msiexec.exe

pid	process
1776	msiexec.exe
1776	msiexec.exe

Suspicious use of WriteProcessMemory 157 IoCs

Processes:

485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.execmd.execmd.execmd.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 1756 wrote to memory of 1064	1756	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 1756 wrote to memory of 1064	1756	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 1756 wrote to memory of 1064	1756	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 1756 wrote to memory of 1064	1756	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 1064 wrote to memory of 1968	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1968	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1968	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1968	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 2008	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 2008	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 2008	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 2008	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1304	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1304	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1304	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1304	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1784	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1784	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1784	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1784	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 572	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 572	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 572	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 572	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 612	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 612	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 612	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 612	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1060	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1060	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1060	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1060	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1724	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1724	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1724	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1724	1064	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1432	1724	cmd.exe	certutil.exe
PID 1724 wrote to memory of 1432	1724	cmd.exe	certutil.exe
PID 1724 wrote to memory of 1432	1724	cmd.exe	certutil.exe
PID 1724 wrote to memory of 1432	1724	cmd.exe	certutil.exe
PID 1064 wrote to memory of 808	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 808	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 808	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 808	1064	cmd.exe	cmd.exe
PID 808 wrote to memory of 668	808	cmd.exe	PnPutil.exe
PID 808 wrote to memory of 668	808	cmd.exe	PnPutil.exe
PID 808 wrote to memory of 668	808	cmd.exe	PnPutil.exe
PID 808 wrote to memory of 668	808	cmd.exe	PnPutil.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1064 wrote to memory of 1776	1064	cmd.exe	msiexec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 1220 wrote to memory of 2108	1220	msiexec.exe	MsiExec.exe
PID 2108 wrote to memory of 2160	2108	MsiExec.exe	expand.exe
PID 2108 wrote to memory of 2160	2108	MsiExec.exe	expand.exe

C:\Users\Admin\AppData\Local\Temp\485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe
"C:\Users\Admin\AppData\Local\Temp\485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\config.bat" "
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:1968

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2008

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:1304

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -w 1 -n 3
3⤵
- Runs ping.exe
PID:1784

C:\Windows\SysWOW64\taskkill.exe
taskkill /fi "imagename eq openvpn*" /T /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:612

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -addstore -Enterprise TrustedPublisher openvpn.cer
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\certutil.exe
certutil -addstore -Enterprise TrustedPublisher openvpn.cer
4⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c %SystemPath%\pnputil -i -a OemVista.inf
3⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\PnPutil.exe
C:\Windows\Sysnative\pnputil -i -a OemVista.inf
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\msiexec.exe
msiexec /i openvpn.msi
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1776

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c move /Y "C:\Users\Public\Desktop\OpenVPN GUI.lnk" "C:\Users\Admin\Desktop\Удаленный доступ\"
3⤵
PID:2808

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:2820

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy /Y *.rdp "C:\Users\Admin\Desktop\Удаленный доступ\"
3⤵
PID:2844

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:2856

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2868

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:2880

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy /Y *.pdf "C:\Users\Admin\Desktop\Удаленный доступ\"
3⤵
PID:2904

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:2916

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2928

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:2940

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2952

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:2964

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set global dhcpmediasense=enabled
3⤵
PID:2976

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -w 1 -n 3
3⤵
- Runs ping.exe
PID:3012

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{071970ea-bf07-33f6-e976-3d6a57ebe27b}\OemVista.inf" "9" "615abe207" "0000000000000530" "WinSta0\Default" "00000000000003CC" "208" "C:\Users\Admin\AppData\Local\Temp\ovpn_tmp"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005CC" "00000000000005C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7BBDDAD0E29C1293842DB9463D7E10E
2⤵
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:2160

C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe
"C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe" /S /SELECT_SHORTCUTS=1 /SELECT_OPENVPN=1 /SELECT_SERVICE=1 /SELECT_TAP=1 /SELECT_OPENVPNGUI=1 /SELECT_ASSOCIATIONS=1 /SELECT_OPENSSL_UTILITIES=0 /SELECT_EASYRSA=0 /SELECT_PATH=1 /SELECT_OPENSSLDLLS=1 /SELECT_LZODLLS=1 /SELECT_PKCS11DLLS=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
"C:\Users\Admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2356

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
5⤵
- Executes dropped EXE
PID:2412

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files"
3⤵
PID:2752

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000003C8" "00000000000005A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1060

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{52db29fd-b9f7-3e4b-86bf-3064cef98f01}\oemvista.inf" "9" "6d14a44ff" "00000000000003D0" "WinSta0\Default" "00000000000005D4" "208" "c:\program files\tap-windows\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2528

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "00000000000003D0" "00000000000005DC" "00000000000005D8"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2588

C:\Program Files\OpenVPN\bin\openvpnserv.exe
"C:\Program Files\OpenVPN\bin\openvpnserv.exe"
1⤵
- Executes dropped EXE
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files\TAP-Windows\driver\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files.cab
MD5
35f8ccd6cb55cf73883af78675536fd2

SHA1
5b27e2896b991575960bb7d9a37d61fe1724db04

SHA256
9c73cf070c04ea83c183c2fd5412cac78785333b6e2b655c671e9a7aecf4b9f6

SHA512
82ce965a49a39897eec2628c14b978deea69e55a1661682825e49957790fe248a26ada447e138597968831fb51a2f87ddce3e344d77754b2bb01fe3fda177aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\OemVista.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\config.bat
MD5
5d6fb253f72cf38dc3794347f85223fd

SHA1
cf51bda2ed47375388022dcf55074e280d914e67

SHA256
79d9c3512d7fb6ec9aad6da1dd326cfec2aaa5868b7377bee9c8acd8be404e13

SHA512
e3cef30a9a3f22f3d2f8538d2c2425d199fc1f8a6f54390c0d53bf503eaa1b05e211a756601a5f5d1a1d4be3c82162a69dca415cbebda0772788fded1180449e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\openvpn.cer
MD5
c759d588bceb1c8a8c8a4d2c00103ba1

SHA1
5e66e0ca2367757e800e65b770629026e131a7dc

SHA256
5ea48986cbb2b014628d8d1fd47754f496f425054baa726bb59a9fda0a1e4d8a

SHA512
8afd4a0df860735f82174b18b233d61f9ba0c13a2f8eba86a9131c413b4a51dffe4b016f1dac69e01161dab81f19a05ac719350e75fea4247d0e6e4ce25bf79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\openvpn.msi
MD5
00d10155028ef91c0f8afdc9e72cfded

SHA1
f65a0815c8ea021dd7c4a5840fbc346b940800c1

SHA256
c004567bba19ed7d2868ac9e37ec1f52182fcba74608d5a07eae6212d887f77e

SHA512
1dc29c32d0f9f7cf40d22483ddb16865999e8bf8ae604e8792016b0e376e9e5f2c9b6e300c79ae570dc9783457dc4ec81b426856c46d041dbf63d00542612db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\tap0901.cat
MD5
ad8a5cbec4f83ae4f850c793713ee770

SHA1
bee00a5037d4f1232837d27bca21658efcff1750

SHA256
878c1b205887b61906f6f4f8da5783d2bb8756d0a39359288d09f65f983b27c2

SHA512
5e88ce1ba2c1dc17e04d26d9afaa97987e61d1c57c97bb1e8a07561b33f763052d0e4bddd184e11ac19e514c7041f9750a6dc576f27161a136765fd1240e5327

Download Submit
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
MD5
47fa5f0670cf191d066e5dfbf4f4ee70

SHA1
db9d441c209fb28b7c07286a74fe000738304dac

SHA256
645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9

SHA512
514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
MD5
47fa5f0670cf191d066e5dfbf4f4ee70

SHA1
db9d441c209fb28b7c07286a74fe000738304dac

SHA256
645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9

SHA512
514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\{071970ea-bf07-33f6-e976-3d6a57ebe27b}\OemVista.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{071970ea-bf07-33f6-e976-3d6a57ebe27b}\tap0901.cat
MD5
ad8a5cbec4f83ae4f850c793713ee770

SHA1
bee00a5037d4f1232837d27bca21658efcff1750

SHA256
878c1b205887b61906f6f4f8da5783d2bb8756d0a39359288d09f65f983b27c2

SHA512
5e88ce1ba2c1dc17e04d26d9afaa97987e61d1c57c97bb1e8a07561b33f763052d0e4bddd184e11ac19e514c7041f9750a6dc576f27161a136765fd1240e5327

Download Submit
C:\Users\Admin\AppData\Local\Temp\{52DB2~1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{52db29fd-b9f7-3e4b-86bf-3064cef98f01}\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Local\Temp\{52db29fd-b9f7-3e4b-86bf-3064cef98f01}\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\INF\oem2.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
C:\Windows\Installer\MSI4912.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\Installer\MSI50C2.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
MD5
e2b217677ec2568804f15009e58f66f4

SHA1
53a356c801f8761b1876eea0cf56711fb84117c2

SHA256
042dca726a0195f6f2e63c6d429a981f082c2232741d6e21d17a7afddbedec7e

SHA512
d346919986a69683976de7cffe4351047e83bf96ac7af902fb375e15ceb0074dab5ef87175d976e6ddf7444c89fb0ab6b8a2e8765c4136bfcb0069d7622404c0

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.PNF
MD5
03d11d658bb990ad24173e19b9bb1d41

SHA1
e9aadc90d86abb7aff4c1e52edc50cace19262d1

SHA256
311e5016cb02446b48f70e83267b0350f03e2c59e7ad585f5ce6326793f71abf

SHA512
087881846263d1704d43eab4f2713a9a0aaade68b4fd75b6367fc7ad97111aab93a2a7330e89a7c16b29ac92282f04ef5256977c703061d671d27dc785ca6a34

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\oemvista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_a572b7f20c402d28\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1
MD5
cce53fcb9815b226d546d7e932090fde

SHA1
36d4f398498b3139696915c86936fd6abe0e7f9f

SHA256
eb81891aed803307deae19432132c24e5f496a8d9251a633f2db6975e08fd40f

SHA512
208d238dbdd7d88236584f58596fcb6ab1a633d1ea51229a4564f4f64f0c678ceedfe15d5184dc8a39d17e0e77bb4b7fb171a10b8c2c529b66be0df3d2de2ddc

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files\tap-windows\driver\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Program Files\OpenVPN\bin\openvpn.exe
MD5
2607f2db16d54213f4971fcf990048a2

SHA1
a99437e9210a34010d84c76fb293f1bb3759df23

SHA256
95736a81f920d8754930da3abc05f9201210ffb64d147c92597fe1ba4e7399e6

SHA512
7ecc2097707ebed7ed3816ce81d99660bde1f7eff52c66462d16dd574a9d3ff76c4e154bb2dcd1964d2db5789a122cc2533ee818c0a478e0ce5ede868b1c3555

Download Submit
\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
\Users\Admin\AppData\Local\Temp\MW-e811e3a8-97c4-4e7d-8e07-aba5c040cb43\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8058.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8058.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8058.tmp\UserInfo.dll
MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8058.tmp\nsExec.dll
MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8058.tmp\nsExec.dll
MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\UserInfo.dll
MD5
9f0cb655a832fdecb9433dd781004637

SHA1
bea6b32a5d2d6d152a52847db1184fab956a9d3b

SHA256
a94fd67daf9137b26e2d98aa4cf46614439bd64263c5c211369a232c444862ea

SHA512
5fd32197a5d9bb7cc65e3917791023fbe2b80a34899d4363475a7fb05fb1051c0a17c72359f3c215d0fd41bbb2dfed0bb95c766131fc175c18ac91cf54b05551

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\nsExec.dll
MD5
1139fb5cc942e668c8277f8b8f1e5f20

SHA1
94bbb2454dad420b70553c0fca4899f120d3ed43

SHA256
9cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb

SHA512
08e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6F1A.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\tap-windows.exe
MD5
47fa5f0670cf191d066e5dfbf4f4ee70

SHA1
db9d441c209fb28b7c07286a74fe000738304dac

SHA256
645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9

SHA512
514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713

Download Submit
\Windows\Installer\MSI4912.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
\Windows\Installer\MSI50C2.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
memory/572-10-0x0000000000000000-mapping.dmp

Download
memory/612-11-0x0000000000000000-mapping.dmp

Download
memory/668-17-0x0000000000000000-mapping.dmp

Download
memory/808-16-0x0000000000000000-mapping.dmp

Download
memory/1060-12-0x0000000000000000-mapping.dmp

Download
memory/1064-4-0x0000000000000000-mapping.dmp

Download
memory/1304-8-0x0000000000000000-mapping.dmp

Download
memory/1432-14-0x0000000000000000-mapping.dmp

Download
memory/1724-13-0x0000000000000000-mapping.dmp

Download
memory/1756-2-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1776-26-0x00000000031B0000-0x00000000031B4000-memory.dmp

Filesize
16KB

Download
memory/1776-23-0x0000000000000000-mapping.dmp

Download
memory/1776-25-0x00000000024A0000-0x00000000024A4000-memory.dmp

Filesize
16KB

Download
memory/1776-91-0x00000000020A0000-0x00000000020A4000-memory.dmp

Filesize
16KB

Download
memory/1784-9-0x0000000000000000-mapping.dmp

Download
memory/1968-6-0x0000000000000000-mapping.dmp

Download
memory/2008-7-0x0000000000000000-mapping.dmp

Download
memory/2108-30-0x0000000000000000-mapping.dmp

Download
memory/2108-35-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2160-33-0x0000000000000000-mapping.dmp

Download
memory/2236-42-0x0000000000000000-mapping.dmp

Download
memory/2356-65-0x0000000000000000-mapping.dmp

Download
memory/2412-74-0x0000000000000000-mapping.dmp

Download
memory/2460-78-0x0000000000000000-mapping.dmp

Download
memory/2752-90-0x0000000000000000-mapping.dmp

Download
memory/2796-92-0x0000000000000000-mapping.dmp

Download
memory/2808-93-0x0000000000000000-mapping.dmp

Download
memory/2820-94-0x0000000000000000-mapping.dmp

Download
memory/2832-95-0x0000000000000000-mapping.dmp

Download
memory/2844-96-0x0000000000000000-mapping.dmp

Download
memory/2856-97-0x0000000000000000-mapping.dmp

Download
memory/2868-98-0x0000000000000000-mapping.dmp

Download
memory/2880-99-0x0000000000000000-mapping.dmp

Download
memory/2892-100-0x0000000000000000-mapping.dmp

Download
memory/2904-101-0x0000000000000000-mapping.dmp

Download
memory/2916-102-0x0000000000000000-mapping.dmp

Download
memory/2928-103-0x0000000000000000-mapping.dmp

Download
memory/2940-104-0x0000000000000000-mapping.dmp

Download
memory/2952-105-0x0000000000000000-mapping.dmp

Download
memory/2964-106-0x0000000000000000-mapping.dmp

Download
memory/2976-107-0x0000000000000000-mapping.dmp

Download
memory/3012-108-0x0000000000000000-mapping.dmp

Download