2db131a19b56e70ea942cc12d0ce7732c20a27284f1e44c25e7be8b164e6bcfd

Analysis

max time kernel
100s
max time network
104s
platform
windows10_x64
resource
win10v20201028
submitted
14-01-2021 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe
Size

4.6MB
MD5

e06b042633f6a51515699ab3175e585a
SHA1

918e691020ce6dd6ae3275a0c468fc80986cbf25
SHA256

485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947
SHA512

7bb3b6d2f8833f373e023c558107359db43f10dc874ff42db2e7ec9f14f6220a20cded68bb68dd29a319c26e79ae4e681e566cf707d31e23f36d93878fe0cba4

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\SETD96E.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETD96E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Executes dropped EXE 5 IoCs

Processes:

openvpn-2.4.6-install.exetap-windows.exetapinstall.exetapinstall.exeopenvpnserv.exe

pid process

3144 openvpn-2.4.6-install.exe
4992 tap-windows.exe
1944 tapinstall.exe
8 tapinstall.exe
2560 openvpnserv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3144	openvpn-2.4.6-install.exe
4992	tap-windows.exe
1944	tapinstall.exe
8	tapinstall.exe
2560	openvpnserv.exe

Loads dropped DLL 46 IoCs

Processes:

MsiExec.exeopenvpn-2.4.6-install.exetap-windows.exe

pid	process
4796	MsiExec.exe
4796	MsiExec.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
4992	tap-windows.exe
4992	tap-windows.exe
4992	tap-windows.exe
4992	tap-windows.exe
4992	tap-windows.exe
4992	tap-windows.exe
4992	tap-windows.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
4796	MsiExec.exe
4796	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in System32 directory 29 IoCs

Processes:

DrvInst.exeDrvInst.exetapinstall.exepnputil.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}\SET8080.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}\SET8080.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}\SET8091.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\SETD76A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\SETD76B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\SETD76C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\SETD76B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_7b2f8786a9ddb778\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_7b2f8786a9ddb778\oemvista.PNF	pnputil.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}\OemVista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3be90684-14bc-6e46-83d4-de1603303320}\SET8091.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\SETD76C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_7b2f8786a9ddb778\OemVista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\SETD76A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{760c4566-4893-154d-af22-5d3398f7b548}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe

Drops file in Program Files directory 30 IoCs

Processes:

openvpn-2.4.6-install.exetap-windows.execmd.exe

description	ioc	process
File created	C:\Program Files\OpenVPN\bin\openvpn.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\config\README.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv2.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openssl.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\Uninstall.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\bin\tapinstall.exe	tap-windows.exe
File created	C:\Program Files\TAP-Windows\driver\OemVista.inf	tap-windows.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.cat	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-gui.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\icon.ico	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\bin\deltapall.bat	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\liblzo2-2.dll	openvpn-2.4.6-install.exe
File opened for modification	C:\Program Files\OpenVPN\config\grad.ovpn	cmd.exe
File created	C:\Program Files\OpenVPN\sample-config\sample.ovpn	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\log\README.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.sys	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\doc\license.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\bin\addtap.bat	tap-windows.exe
File created	C:\Program Files\OpenVPN\doc\openvpn.8.html	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv.exe	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\sample-config\server.ovpn	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\license.txt	tap-windows.exe
File created	C:\Program Files\TAP-Windows\Uninstall.exe	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\doc\INSTALL-win32.txt	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\sample-config\client.ovpn	openvpn-2.4.6-install.exe
File created	C:\Program Files\TAP-Windows\icon.ico	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dll	openvpn-2.4.6-install.exe
File created	C:\Program Files\OpenVPN\config\grad.ovpn	cmd.exe

Drops file in Windows directory 25 IoCs

Processes:

DrvInst.exemsiexec.exeexpand.exeDrvInst.exetapinstall.exeDrvInst.exepnputil.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIC26E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIDCCD.tmp	msiexec.exe
File created	C:\Windows\Installer\f74bc53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74bc51.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDD8.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\f74bc51.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File created	C:\Windows\Installer\SourceHash{05C4CA95-8208-4436-84D8-ADFC5CE89FEC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIDD6B.tmp	msiexec.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\openvpn.msi	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files.cab	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files\openvpn-2.4.6-install.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files\openvpn-2.4.6-install.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 144 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exesvchost.exeDrvInst.exepnputil.exeDrvInst.exetapinstall.exeDrvInst.exetapinstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	DrvInst.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

540 taskkill.exe

pid	process
540	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\ForegroundLockTimeout = "200000"	MsiExec.exe

Modifies data under HKEY_USERS 88 IoCs

Processes:

DrvInst.exeDrvInst.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 15 IoCs

Processes:

openvpn-2.4.6-install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "open"	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\icon.ico,0"	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "notepad.exe \"%1\""	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\""	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile"	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File"	openvpn-2.4.6-install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file"	openvpn-2.4.6-install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command	openvpn-2.4.6-install.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4276 PING.EXE
4508 PING.EXE

pid	process
4276	PING.EXE
4508	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exeopenvpn-2.4.6-install.exe

pid	process
4024	msiexec.exe
4024	msiexec.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe
3144	openvpn-2.4.6-install.exe

Suspicious use of AdjustPrivilegeToken 104 IoCs

Processes:

taskkill.exesvchost.exemsiexec.exemsiexec.exevssvc.exetapinstall.exeDrvInst.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeAuditPrivilege	1860	svchost.exe
Token: SeSecurityPrivilege	1860	svchost.exe
Token: SeShutdownPrivilege	3088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3088	msiexec.exe
Token: SeSecurityPrivilege	4024	msiexec.exe
Token: SeCreateTokenPrivilege	3088	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3088	msiexec.exe
Token: SeLockMemoryPrivilege	3088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3088	msiexec.exe
Token: SeMachineAccountPrivilege	3088	msiexec.exe
Token: SeTcbPrivilege	3088	msiexec.exe
Token: SeSecurityPrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeLoadDriverPrivilege	3088	msiexec.exe
Token: SeSystemProfilePrivilege	3088	msiexec.exe
Token: SeSystemtimePrivilege	3088	msiexec.exe
Token: SeProfSingleProcessPrivilege	3088	msiexec.exe
Token: SeIncBasePriorityPrivilege	3088	msiexec.exe
Token: SeCreatePagefilePrivilege	3088	msiexec.exe
Token: SeCreatePermanentPrivilege	3088	msiexec.exe
Token: SeBackupPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeShutdownPrivilege	3088	msiexec.exe
Token: SeDebugPrivilege	3088	msiexec.exe
Token: SeAuditPrivilege	3088	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3088	msiexec.exe
Token: SeChangeNotifyPrivilege	3088	msiexec.exe
Token: SeRemoteShutdownPrivilege	3088	msiexec.exe
Token: SeUndockPrivilege	3088	msiexec.exe
Token: SeSyncAgentPrivilege	3088	msiexec.exe
Token: SeEnableDelegationPrivilege	3088	msiexec.exe
Token: SeManageVolumePrivilege	3088	msiexec.exe
Token: SeImpersonatePrivilege	3088	msiexec.exe
Token: SeCreateGlobalPrivilege	3088	msiexec.exe
Token: SeBackupPrivilege	1940	vssvc.exe
Token: SeRestorePrivilege	1940	vssvc.exe
Token: SeAuditPrivilege	1940	vssvc.exe
Token: SeBackupPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeLoadDriverPrivilege	8	tapinstall.exe
Token: SeRestorePrivilege	1000	DrvInst.exe
Token: SeBackupPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	1000	DrvInst.exe
Token: SeShutdownPrivilege	3972	svchost.exe
Token: SeCreatePagefilePrivilege	3972	svchost.exe
Token: SeLoadDriverPrivilege	3972	svchost.exe
Token: SeLoadDriverPrivilege	3972	svchost.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3088 msiexec.exe
3088 msiexec.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

openvpn-2.4.6-install.exetap-windows.exetapinstall.exetapinstall.exe

pid process

3144 openvpn-2.4.6-install.exe
4992 tap-windows.exe
1944 tapinstall.exe
8 tapinstall.exe

pid	process
3088	msiexec.exe
3088	msiexec.exe

pid	process
3144	openvpn-2.4.6-install.exe
4992	tap-windows.exe
1944	tapinstall.exe
8	tapinstall.exe

Suspicious use of WriteProcessMemory 86 IoCs

Processes:

485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.execmd.execmd.execmd.exesvchost.exemsiexec.exeMsiExec.exeopenvpn-2.4.6-install.exetap-windows.exe

description	pid	process	target process
PID 4816 wrote to memory of 3188	4816	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 4816 wrote to memory of 3188	4816	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 4816 wrote to memory of 3188	4816	485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe	cmd.exe
PID 3188 wrote to memory of 3376	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3376	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3376	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3920	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 3920	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 3920	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1012	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1012	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1012	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 4276	3188	cmd.exe	PING.EXE
PID 3188 wrote to memory of 4276	3188	cmd.exe	PING.EXE
PID 3188 wrote to memory of 4276	3188	cmd.exe	PING.EXE
PID 3188 wrote to memory of 540	3188	cmd.exe	taskkill.exe
PID 3188 wrote to memory of 540	3188	cmd.exe	taskkill.exe
PID 3188 wrote to memory of 540	3188	cmd.exe	taskkill.exe
PID 3188 wrote to memory of 1124	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1124	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1124	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1188	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1188	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1188	3188	cmd.exe	chcp.com
PID 3188 wrote to memory of 1316	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 1316	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 1316	3188	cmd.exe	cmd.exe
PID 1316 wrote to memory of 1400	1316	cmd.exe	certutil.exe
PID 1316 wrote to memory of 1400	1316	cmd.exe	certutil.exe
PID 1316 wrote to memory of 1400	1316	cmd.exe	certutil.exe
PID 3188 wrote to memory of 1592	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 1592	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 1592	3188	cmd.exe	cmd.exe
PID 1592 wrote to memory of 1696	1592	cmd.exe	pnputil.exe
PID 1592 wrote to memory of 1696	1592	cmd.exe	pnputil.exe
PID 1860 wrote to memory of 2068	1860	svchost.exe	DrvInst.exe
PID 1860 wrote to memory of 2068	1860	svchost.exe	DrvInst.exe
PID 3188 wrote to memory of 3088	3188	cmd.exe	msiexec.exe
PID 3188 wrote to memory of 3088	3188	cmd.exe	msiexec.exe
PID 3188 wrote to memory of 3088	3188	cmd.exe	msiexec.exe
PID 4024 wrote to memory of 208	4024	msiexec.exe	srtasks.exe
PID 4024 wrote to memory of 208	4024	msiexec.exe	srtasks.exe
PID 4024 wrote to memory of 4796	4024	msiexec.exe	MsiExec.exe
PID 4024 wrote to memory of 4796	4024	msiexec.exe	MsiExec.exe
PID 4024 wrote to memory of 4796	4024	msiexec.exe	MsiExec.exe
PID 4796 wrote to memory of 4712	4796	MsiExec.exe	expand.exe
PID 4796 wrote to memory of 4712	4796	MsiExec.exe	expand.exe
PID 4796 wrote to memory of 4712	4796	MsiExec.exe	expand.exe
PID 4796 wrote to memory of 3144	4796	MsiExec.exe	openvpn-2.4.6-install.exe
PID 4796 wrote to memory of 3144	4796	MsiExec.exe	openvpn-2.4.6-install.exe
PID 4796 wrote to memory of 3144	4796	MsiExec.exe	openvpn-2.4.6-install.exe
PID 3144 wrote to memory of 4992	3144	openvpn-2.4.6-install.exe	tap-windows.exe
PID 3144 wrote to memory of 4992	3144	openvpn-2.4.6-install.exe	tap-windows.exe
PID 3144 wrote to memory of 4992	3144	openvpn-2.4.6-install.exe	tap-windows.exe
PID 4992 wrote to memory of 1944	4992	tap-windows.exe	tapinstall.exe
PID 4992 wrote to memory of 1944	4992	tap-windows.exe	tapinstall.exe
PID 4992 wrote to memory of 8	4992	tap-windows.exe	tapinstall.exe
PID 4992 wrote to memory of 8	4992	tap-windows.exe	tapinstall.exe
PID 1860 wrote to memory of 2044	1860	svchost.exe	DrvInst.exe
PID 1860 wrote to memory of 2044	1860	svchost.exe	DrvInst.exe
PID 1860 wrote to memory of 1000	1860	svchost.exe	DrvInst.exe
PID 1860 wrote to memory of 1000	1860	svchost.exe	DrvInst.exe
PID 4796 wrote to memory of 4364	4796	MsiExec.exe	cmd.exe
PID 4796 wrote to memory of 4364	4796	MsiExec.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe
"C:\Users\Admin\AppData\Local\Temp\485a1b8434faa85a92902ea3308e6c438754edec4d97061f91f2984a0e64f947.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\config.bat" "
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:3376

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:3920

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:1012

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -w 1 -n 3
3⤵
- Runs ping.exe
PID:4276

C:\Windows\SysWOW64\taskkill.exe
taskkill /fi "imagename eq openvpn*" /T /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:1124

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -addstore -Enterprise TrustedPublisher openvpn.cer
3⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\certutil.exe
certutil -addstore -Enterprise TrustedPublisher openvpn.cer
4⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c %SystemPath%\pnputil /add-driver OemVista.inf /subdirs /install
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\pnputil.exe
C:\Windows\Sysnative\pnputil /add-driver OemVista.inf /subdirs /install
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1696

C:\Windows\SysWOW64\msiexec.exe
msiexec /i openvpn.msi
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3088

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c move /Y "C:\Users\Public\Desktop\OpenVPN GUI.lnk" "C:\Users\Admin\Desktop\Удаленный доступ\"
3⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy /Y *.rdp "C:\Users\Admin\Desktop\Удаленный доступ\"
3⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy /Y *.pdf "C:\Users\Admin\Desktop\Удаленный доступ\"
3⤵
PID:4932

C:\Windows\SysWOW64\chcp.com
chcp 866
3⤵
PID:4920

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set global dhcpmediasense=enabled
3⤵
PID:4600

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -w 1 -n 3
3⤵
- Runs ping.exe
PID:4508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{77f3f700-ff8b-694e-a248-1c52bcb7b32d}\OemVista.inf" "9" "415abe207" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "C:\Users\Admin\AppData\Local\Temp\ovpn_tmp"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2068

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0613b3a8-f533-5e4e-b758-736843423837}\oemvista.inf" "9" "4d14a44ff" "0000000000000180" "WinSta0\Default" "0000000000000170" "208" "c:\program files\tap-windows\driver"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:208

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E2DC3FDF4C055C0025CF49053C51F362
2⤵
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:4712

C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files\openvpn-2.4.6-install.exe
"C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files\openvpn-2.4.6-install.exe" /S /SELECT_SHORTCUTS=1 /SELECT_OPENVPN=1 /SELECT_SERVICE=1 /SELECT_TAP=1 /SELECT_OPENVPNGUI=1 /SELECT_ASSOCIATIONS=1 /SELECT_OPENSSL_UTILITIES=0 /SELECT_EASYRSA=0 /SELECT_PATH=1 /SELECT_OPENSSLDLLS=1 /SELECT_LZODLLS=1 /SELECT_PKCS11DLLS=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
"C:\Users\Admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files"
3⤵
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2888

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972

\??\c:\program files\openvpn\bin\openvpnserv.exe
"c:\program files\openvpn\bin\openvpnserv.exe"
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files\TAP-Windows\bin\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files\TAP-Windows\driver\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files.cab
MD5
35f8ccd6cb55cf73883af78675536fd2

SHA1
5b27e2896b991575960bb7d9a37d61fe1724db04

SHA256
9c73cf070c04ea83c183c2fd5412cac78785333b6e2b655c671e9a7aecf4b9f6

SHA512
82ce965a49a39897eec2628c14b978deea69e55a1661682825e49957790fe248a26ada447e138597968831fb51a2f87ddce3e344d77754b2bb01fe3fda177aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-6f5c0d62-b4ca-4886-b1b9-86f3e5933748\files\openvpn-2.4.6-install.exe
MD5
b89e06ae7e4a064a736f13b337c22f70

SHA1
3c478476c3e77b473b06452ab3f40cf9074f73a5

SHA256
7397af1128c35a0e44bb104caa3cdad77b5be7c5106c8933a810771f99256800

SHA512
1d8456847c84425d5078062bca790c2ffcd6cc0a227ee4522537a87716de3878065b9813cd1aa6b56ebb3fbfb0558f5b71ecbfe20063d01ab4f9c5ba932a28f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\OemVista.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\config.bat
MD5
5d6fb253f72cf38dc3794347f85223fd

SHA1
cf51bda2ed47375388022dcf55074e280d914e67

SHA256
79d9c3512d7fb6ec9aad6da1dd326cfec2aaa5868b7377bee9c8acd8be404e13

SHA512
e3cef30a9a3f22f3d2f8538d2c2425d199fc1f8a6f54390c0d53bf503eaa1b05e211a756601a5f5d1a1d4be3c82162a69dca415cbebda0772788fded1180449e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\openvpn.cer
MD5
c759d588bceb1c8a8c8a4d2c00103ba1

SHA1
5e66e0ca2367757e800e65b770629026e131a7dc

SHA256
5ea48986cbb2b014628d8d1fd47754f496f425054baa726bb59a9fda0a1e4d8a

SHA512
8afd4a0df860735f82174b18b233d61f9ba0c13a2f8eba86a9131c413b4a51dffe4b016f1dac69e01161dab81f19a05ac719350e75fea4247d0e6e4ce25bf79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\openvpn.msi
MD5
00d10155028ef91c0f8afdc9e72cfded

SHA1
f65a0815c8ea021dd7c4a5840fbc346b940800c1

SHA256
c004567bba19ed7d2868ac9e37ec1f52182fcba74608d5a07eae6212d887f77e

SHA512
1dc29c32d0f9f7cf40d22483ddb16865999e8bf8ae604e8792016b0e376e9e5f2c9b6e300c79ae570dc9783457dc4ec81b426856c46d041dbf63d00542612db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovpn_tmp\tap0901.cat
MD5
ad8a5cbec4f83ae4f850c793713ee770

SHA1
bee00a5037d4f1232837d27bca21658efcff1750

SHA256
878c1b205887b61906f6f4f8da5783d2bb8756d0a39359288d09f65f983b27c2

SHA512
5e88ce1ba2c1dc17e04d26d9afaa97987e61d1c57c97bb1e8a07561b33f763052d0e4bddd184e11ac19e514c7041f9750a6dc576f27161a136765fd1240e5327

Download Submit
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
MD5
47fa5f0670cf191d066e5dfbf4f4ee70

SHA1
db9d441c209fb28b7c07286a74fe000738304dac

SHA256
645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9

SHA512
514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
MD5
47fa5f0670cf191d066e5dfbf4f4ee70

SHA1
db9d441c209fb28b7c07286a74fe000738304dac

SHA256
645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9

SHA512
514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\{77F3F~1\tap0901.cat
MD5
ad8a5cbec4f83ae4f850c793713ee770

SHA1
bee00a5037d4f1232837d27bca21658efcff1750

SHA256
878c1b205887b61906f6f4f8da5783d2bb8756d0a39359288d09f65f983b27c2

SHA512
5e88ce1ba2c1dc17e04d26d9afaa97987e61d1c57c97bb1e8a07561b33f763052d0e4bddd184e11ac19e514c7041f9750a6dc576f27161a136765fd1240e5327

Download Submit
C:\Users\Admin\AppData\Local\Temp\{77f3f700-ff8b-694e-a248-1c52bcb7b32d}\OemVista.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
C:\Windows\INF\oem2.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
C:\Windows\Installer\MSIBDD8.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\Installer\MSIC26E.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_7b2f8786a9ddb778\oemvista.inf
MD5
41884571579f88540326252b81d0a9f8

SHA1
cfd0ba5db827d21e4fa71663c045b5676d303d6e

SHA256
a461b764e248d3e59a1a730ff94af7e61121f5a02004e02b3b866ac8fd1689be

SHA512
3eeeffc02998c73a11d4a0988fe3823b52ce560f8cb40c76ab810d5ea78dd42811cf30ae35bf11d55f17b3804154ddb483acff2f11261bfc382b5e18eb42688b

Download Submit
\??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files\tap-windows\driver\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\UserInfo.dll
MD5
9f0cb655a832fdecb9433dd781004637

SHA1
bea6b32a5d2d6d152a52847db1184fab956a9d3b

SHA256
a94fd67daf9137b26e2d98aa4cf46614439bd64263c5c211369a232c444862ea

SHA512
5fd32197a5d9bb7cc65e3917791023fbe2b80a34899d4363475a7fb05fb1051c0a17c72359f3c215d0fd41bbb2dfed0bb95c766131fc175c18ac91cf54b05551

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\nsExec.dll
MD5
1139fb5cc942e668c8277f8b8f1e5f20

SHA1
94bbb2454dad420b70553c0fca4899f120d3ed43

SHA256
9cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb

SHA512
08e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsuC52C.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\UserInfo.dll
MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\nsExec.dll
MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\nsExec.dll
MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\nsExec.dll
MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD49C.tmp\nsExec.dll
MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\Installer\MSIBDD8.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
\Windows\Installer\MSIC26E.tmp
MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
memory/8-85-0x0000000000000000-mapping.dmp

Download
memory/8-87-0x00007FFA780F0000-0x00007FFA7816E000-memory.dmp

Filesize
504KB

Download
memory/208-25-0x0000000000000000-mapping.dmp

Download
memory/540-8-0x0000000000000000-mapping.dmp

Download
memory/1000-92-0x0000000000000000-mapping.dmp

Download
memory/1012-6-0x0000000000000000-mapping.dmp

Download
memory/1124-9-0x0000000000000000-mapping.dmp

Download
memory/1188-10-0x0000000000000000-mapping.dmp

Download
memory/1316-11-0x0000000000000000-mapping.dmp

Download
memory/1400-12-0x0000000000000000-mapping.dmp

Download
memory/1592-14-0x0000000000000000-mapping.dmp

Download
memory/1696-15-0x0000000000000000-mapping.dmp

Download
memory/1944-82-0x00007FFA780F0000-0x00007FFA7816E000-memory.dmp

Filesize
504KB

Download
memory/1944-79-0x0000000000000000-mapping.dmp

Download
memory/2044-91-0x0000000000000000-mapping.dmp

Download
memory/2068-18-0x0000000000000000-mapping.dmp

Download
memory/2160-94-0x0000000000000000-mapping.dmp

Download
memory/3088-23-0x0000000000000000-mapping.dmp

Download
memory/3144-34-0x0000000000000000-mapping.dmp

Download
memory/3144-36-0x00000000741A0000-0x0000000074233000-memory.dmp

Filesize
588KB

Download
memory/3188-2-0x0000000000000000-mapping.dmp

Download
memory/3376-4-0x0000000000000000-mapping.dmp

Download
memory/3920-5-0x0000000000000000-mapping.dmp

Download
memory/4276-7-0x0000000000000000-mapping.dmp

Download
memory/4364-93-0x0000000000000000-mapping.dmp

Download
memory/4508-100-0x0000000000000000-mapping.dmp

Download
memory/4600-99-0x0000000000000000-mapping.dmp

Download
memory/4628-95-0x0000000000000000-mapping.dmp

Download
memory/4712-29-0x0000000000000000-mapping.dmp

Download
memory/4796-26-0x0000000000000000-mapping.dmp

Download
memory/4844-96-0x0000000000000000-mapping.dmp

Download
memory/4920-98-0x0000000000000000-mapping.dmp

Download
memory/4932-97-0x0000000000000000-mapping.dmp

Download
memory/4992-70-0x0000000000000000-mapping.dmp

Download
memory/4992-73-0x00000000741A0000-0x0000000074233000-memory.dmp

Filesize
588KB

Download