Analysis
-
max time kernel
47s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 21:55
Static task
static1
Behavioral task
behavioral1
Sample
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe
Resource
win10v2004-20220414-en
General
-
Target
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe
-
Size
10.4MB
-
MD5
2e94c71c928d5819a559fc1946e9a71f
-
SHA1
f16b2bf28d9be8b373e9bb1e42e345047d89377d
-
SHA256
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959
-
SHA512
f51a825c2d1d114c5384fba5cf7a8797e94083e0c98e14bb26b3a98060ca87899d56d1defe5d67cd703ac723a7e622fe9b16fdbaf1263acaa2b432ce266d881b
Malware Config
Extracted
C:\Program Files\OpenVPN\doc\openvpn.8.html
HREF="mailto:[email protected]">[email protected]</A></B>
HREF="mailto:[email protected]">[email protected]</A>
HREF="mailto:[email protected]">[email protected]</A>
HREF="mailto:[email protected]">[email protected]</A>>
HREF="mailto:[email protected]">[email protected]</A>>
http-proxy
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
hidec.exedevcon64.exedevcon64.exeopenvpn-install-2.4.8-I602-Win7.exetap-windows.exetapinstall.exetapinstall.exepid process 956 hidec.exe 1492 devcon64.exe 696 devcon64.exe 768 openvpn-install-2.4.8-I602-Win7.exe 1712 tap-windows.exe 2036 tapinstall.exe 1696 tapinstall.exe -
Loads dropped DLL 36 IoCs
Processes:
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.execmd.exeopenvpn-install-2.4.8-I602-Win7.exetap-windows.exepid process 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe 2028 cmd.exe 2028 cmd.exe 2028 cmd.exe 2028 cmd.exe 2028 cmd.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe 1712 tap-windows.exe 1712 tap-windows.exe 1712 tap-windows.exe 1712 tap-windows.exe 1712 tap-windows.exe 1712 tap-windows.exe 1712 tap-windows.exe 1712 tap-windows.exe -
Drops file in System32 directory 9 IoCs
Processes:
DrvInst.exedescription ioc process File created C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\SETE19B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\SETE17A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\SETE18B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\SETE18B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\SETE19B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\SETE17A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\tap0901.sys DrvInst.exe -
Drops file in Program Files directory 18 IoCs
Processes:
openvpn-install-2.4.8-I602-Win7.exetap-windows.exedescription ioc process File created C:\Program Files\OpenVPN\sample-config\client.ovpn openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\TAP-Windows\license.txt tap-windows.exe File created C:\Program Files\TAP-Windows\icon.ico tap-windows.exe File created C:\Program Files\OpenVPN\doc\INSTALL-win32.txt openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\OpenVPN\config\README.txt openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\TAP-Windows\driver\tap0901.sys tap-windows.exe File created C:\Program Files\TAP-Windows\bin\addtap.bat tap-windows.exe File created C:\Program Files\OpenVPN\bin\openvpnserv2.exe openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\TAP-Windows\driver\OemVista.inf tap-windows.exe File created C:\Program Files\TAP-Windows\driver\tap0901.cat tap-windows.exe File created C:\Program Files\TAP-Windows\bin\deltapall.bat tap-windows.exe File created C:\Program Files\OpenVPN\bin\openvpn.exe openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\OpenVPN\doc\openvpn.8.html openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\OpenVPN\sample-config\sample.ovpn openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\OpenVPN\log\README.txt openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\OpenVPN\bin\openvpnserv.exe openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\OpenVPN\sample-config\server.ovpn openvpn-install-2.4.8-I602-Win7.exe File created C:\Program Files\TAP-Windows\bin\tapinstall.exe tap-windows.exe -
Drops file in Windows directory 3 IoCs
Processes:
DrvInst.exetapinstall.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.app.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 9 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_2 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1108 taskkill.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Processes:
tapinstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
openvpn-install-2.4.8-I602-Win7.exepid process 768 openvpn-install-2.4.8-I602-Win7.exe 768 openvpn-install-2.4.8-I602-Win7.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
taskkill.exetapinstall.exeDrvInst.exerundll32.exedescription pid process Token: SeDebugPrivilege 1108 taskkill.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1696 tapinstall.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 1252 DrvInst.exe Token: SeRestorePrivilege 696 rundll32.exe Token: SeRestorePrivilege 696 rundll32.exe Token: SeRestorePrivilege 696 rundll32.exe Token: SeRestorePrivilege 696 rundll32.exe Token: SeRestorePrivilege 696 rundll32.exe Token: SeRestorePrivilege 696 rundll32.exe Token: SeRestorePrivilege 696 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exehidec.execmd.exedescription pid process target process PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 1156 wrote to memory of 956 1156 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 956 wrote to memory of 2028 956 hidec.exe cmd.exe PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 2000 2028 cmd.exe chcp.com PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1948 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1996 2028 cmd.exe find.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1012 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1648 2028 cmd.exe find.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1108 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1528 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1492 2028 cmd.exe devcon64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe"C:\Users\Admin\AppData\Local\Temp\ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp.com 8664⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver.exe 2>nul"4⤵
-
C:\Windows\SysWOW64\find.exefind.exe " 6."4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver.exe 2>nul"4⤵
-
C:\Windows\SysWOW64\find.exefind.exe " 5."4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "devcon32.exe" /IM "devcon64.exe" /IM "tap-windows.exe" /IM "openvpn-run.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping.exe 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" remove "tap0901"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" remove "tap0801"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\.ovpn" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\OpenVPN" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F4⤵
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe" /S4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe"C:\Users\Admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap09016⤵
- Executes dropped EXE
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap09016⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6f93bc54-24f6-27f3-7266-e7303c3c901a}\oemvista.inf" "9" "6d14a44ff" "0000000000000328" "WinSta0\Default" "00000000000002FC" "208" "c:\program files\tap-windows\driver"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{32e91ede-6e07-193f-19fc-a11bcf75055b} Global\{7ccc0c70-65a5-744d-3e76-332a2e2d0841} C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\tap0901.cat2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
486KB
MD5f19cffff76ff48e98f060a563dd8345b
SHA1c77f3fe9ffba02de288661fbb66656791196edbc
SHA25616d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70
SHA5120d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841
-
C:\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
486KB
MD5f19cffff76ff48e98f060a563dd8345b
SHA1c77f3fe9ffba02de288661fbb66656791196edbc
SHA25616d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70
SHA5120d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841
-
C:\Program Files\TAP-Windows\driver\OemVista.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\tapdel.batFilesize
493B
MD520be78849f16f8008914d8146b5a06f3
SHA17025a9cf11277fcafb527a1b6bd72fa9e467d6e2
SHA256fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2
SHA5120f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.batFilesize
7KB
MD5ed3f4bc5af7893b0e6f216bd121e148c
SHA11f303d8b108136b24a392db7d378123524fd5298
SHA25636d7262e86c846fea6328974b352ee468fb18d79bef829b238800fb3f40c1a3f
SHA512a0736861c71ad16c5594cad54139be7fb84349519d330814aa7d250754c0c466152a5745a2ab0bd184f287656759d5820a7ec777d697a8997d53894b978eec27
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exeFilesize
4.1MB
MD573bcd5b6a0208d953a38ed74fdef5ff1
SHA18c9f28d7bdbb4613777a9741809e34b91fd45a0f
SHA25616165e4505874e71c9fe732041274c3ce10e0881dfeeece529e8b54c5b558296
SHA512f599a4e25a9c48642c6bae94d13396222b93bcda0aa5efd2cd16557bb64fc967dcf54a6a8445824db1c420af0f8dcde31fb0bc3a96134720d0d08b52f0967ecc
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exeFilesize
4.1MB
MD573bcd5b6a0208d953a38ed74fdef5ff1
SHA18c9f28d7bdbb4613777a9741809e34b91fd45a0f
SHA25616165e4505874e71c9fe732041274c3ce10e0881dfeeece529e8b54c5b558296
SHA512f599a4e25a9c48642c6bae94d13396222b93bcda0aa5efd2cd16557bb64fc967dcf54a6a8445824db1c420af0f8dcde31fb0bc3a96134720d0d08b52f0967ecc
-
C:\Users\Admin\AppData\Local\Temp\tap-windows.exeFilesize
561KB
MD5df2dfcd6d8a69c2799a43baf80d34047
SHA1f0fd7873544739a0cac4cf93e446efe629c00668
SHA25635cfa71fe2952192c13cbbd8a2f3f62a6486af406008e654646ea1d823928d46
SHA512e4d7aab39539c7020538a5d26554e52fb23a365d6b8276a10ea25bb4067a04c5e40417cd54c73d8686d6023597b2be0ee138960428c7ca1d791620d5464d3764
-
C:\Users\Admin\AppData\Local\Temp\tap-windows.exeFilesize
561KB
MD5df2dfcd6d8a69c2799a43baf80d34047
SHA1f0fd7873544739a0cac4cf93e446efe629c00668
SHA25635cfa71fe2952192c13cbbd8a2f3f62a6486af406008e654646ea1d823928d46
SHA512e4d7aab39539c7020538a5d26554e52fb23a365d6b8276a10ea25bb4067a04c5e40417cd54c73d8686d6023597b2be0ee138960428c7ca1d791620d5464d3764
-
C:\Users\Admin\AppData\Local\Temp\{6F93B~1\tap0901.sysFilesize
30KB
MD57da5638f82f0ef7a759c9a35cfae38e3
SHA1841a86f416a882b0743fd6d9c9f29baf3ed06b6a
SHA256fb4825ce4b0bf61fa4e30109ef5d718906716560cdc8274092fcb072c5bd762d
SHA51253867e2c53e263d9df613d973f946d0cee703acc4e48e63c9178fddcc34c070060957e77fd729e876a9adb20cc8cee4b0dbdc6166bac573fc7e84bfb0ae8e9f4
-
C:\Users\Admin\AppData\Local\Temp\{6f93bc54-24f6-27f3-7266-e7303c3c901a}\oemvista.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
C:\Users\Admin\AppData\Local\Temp\{6f93bc54-24f6-27f3-7266-e7303c3c901a}\tap0901.catFilesize
9KB
MD5685d08d5e2a2450648a40b518e2046fc
SHA1d99e38968de1ca1850971a2b81bfdab49626aaed
SHA25656a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2
SHA512619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7
-
C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\oemvista.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
C:\Windows\System32\DriverStore\Temp\{723fc2f7-c68b-68e4-b9c5-b218f6a9f431}\tap0901.catFilesize
9KB
MD5685d08d5e2a2450648a40b518e2046fc
SHA1d99e38968de1ca1850971a2b81bfdab49626aaed
SHA25656a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2
SHA512619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7
-
\??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sysFilesize
30KB
MD57da5638f82f0ef7a759c9a35cfae38e3
SHA1841a86f416a882b0743fd6d9c9f29baf3ed06b6a
SHA256fb4825ce4b0bf61fa4e30109ef5d718906716560cdc8274092fcb072c5bd762d
SHA51253867e2c53e263d9df613d973f946d0cee703acc4e48e63c9178fddcc34c070060957e77fd729e876a9adb20cc8cee4b0dbdc6166bac573fc7e84bfb0ae8e9f4
-
\??\c:\program files\tap-windows\driver\tap0901.catFilesize
9KB
MD5685d08d5e2a2450648a40b518e2046fc
SHA1d99e38968de1ca1850971a2b81bfdab49626aaed
SHA25656a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2
SHA512619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7
-
\Program Files\OpenVPN\bin\openvpn.exeFilesize
820KB
MD52a16506f43ad6ad1abc4ba6236cd52cc
SHA14d99bb40230596072ebcbc9164933b3b77c96f17
SHA256e32da5bfc8077d2125724f316e53ad348688735d8f2c9f6c371fe59427aeb1a0
SHA512704f2ec6d5f0dce0cafe4c2053b19ebd94cb369a09bf77ca91465646ec6f0b9814d4f3a44b299127449896113784476eafff551c5f70323c5b4443eab5d6bf2a
-
\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
486KB
MD5f19cffff76ff48e98f060a563dd8345b
SHA1c77f3fe9ffba02de288661fbb66656791196edbc
SHA25616d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70
SHA5120d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841
-
\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
486KB
MD5f19cffff76ff48e98f060a563dd8345b
SHA1c77f3fe9ffba02de288661fbb66656791196edbc
SHA25616d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70
SHA5120d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841
-
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exeFilesize
4.1MB
MD573bcd5b6a0208d953a38ed74fdef5ff1
SHA18c9f28d7bdbb4613777a9741809e34b91fd45a0f
SHA25616165e4505874e71c9fe732041274c3ce10e0881dfeeece529e8b54c5b558296
SHA512f599a4e25a9c48642c6bae94d13396222b93bcda0aa5efd2cd16557bb64fc967dcf54a6a8445824db1c420af0f8dcde31fb0bc3a96134720d0d08b52f0967ecc
-
\Users\Admin\AppData\Local\Temp\nsjD74F.tmp\ShellLink.dllFilesize
4KB
MD5aad75be0bdd1f1bac758b521c9f1d022
SHA15d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA5124c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0
-
\Users\Admin\AppData\Local\Temp\nsjD74F.tmp\ShellLink.dllFilesize
4KB
MD5aad75be0bdd1f1bac758b521c9f1d022
SHA15d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA5124c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0
-
\Users\Admin\AppData\Local\Temp\nsjD74F.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
\Users\Admin\AppData\Local\Temp\nsjD74F.tmp\UserInfo.dllFilesize
4KB
MD57836f464ae0102452e94a363b491b759
SHA159909a48448b99e2eb9cd336d81d60764da59f31
SHA25611adf8916947b5a20a071b494fa034cf62769dcc6293a1340b29a5bb29ac8e87
SHA5125ed63eefa1b3b3caad4cb762ccb8419c05bcad3da3a7415235cda2d2a1f79eb018503ca30a0a92d6b72160327decea9a70c48e0c28de94dd67303d4aea4a02db
-
\Users\Admin\AppData\Local\Temp\nsjD74F.tmp\nsExec.dllFilesize
6KB
MD550ba20cad29399e2db9fa75a1324bd1d
SHA13850634bb15a112623222972ef554c8d1eca16f4
SHA256e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc
SHA512893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754
-
\Users\Admin\AppData\Local\Temp\nsjD74F.tmp\nsExec.dllFilesize
6KB
MD550ba20cad29399e2db9fa75a1324bd1d
SHA13850634bb15a112623222972ef554c8d1eca16f4
SHA256e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc
SHA512893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\System.dllFilesize
23KB
MD52e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\System.dllFilesize
23KB
MD52e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\UserInfo.dllFilesize
6KB
MD59f0cb655a832fdecb9433dd781004637
SHA1bea6b32a5d2d6d152a52847db1184fab956a9d3b
SHA256a94fd67daf9137b26e2d98aa4cf46614439bd64263c5c211369a232c444862ea
SHA5125fd32197a5d9bb7cc65e3917791023fbe2b80a34899d4363475a7fb05fb1051c0a17c72359f3c215d0fd41bbb2dfed0bb95c766131fc175c18ac91cf54b05551
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\nsExec.dllFilesize
9KB
MD51139fb5cc942e668c8277f8b8f1e5f20
SHA194bbb2454dad420b70553c0fca4899f120d3ed43
SHA2569cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb
SHA51208e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0
-
\Users\Admin\AppData\Local\Temp\nst8F09.tmp\nsProcess.dllFilesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
\Users\Admin\AppData\Local\Temp\tap-windows.exeFilesize
561KB
MD5df2dfcd6d8a69c2799a43baf80d34047
SHA1f0fd7873544739a0cac4cf93e446efe629c00668
SHA25635cfa71fe2952192c13cbbd8a2f3f62a6486af406008e654646ea1d823928d46
SHA512e4d7aab39539c7020538a5d26554e52fb23a365d6b8276a10ea25bb4067a04c5e40417cd54c73d8686d6023597b2be0ee138960428c7ca1d791620d5464d3764
-
memory/640-99-0x0000000000000000-mapping.dmp
-
memory/676-93-0x0000000000000000-mapping.dmp
-
memory/696-166-0x000007FEFB801000-0x000007FEFB803000-memory.dmpFilesize
8KB
-
memory/696-85-0x0000000000000000-mapping.dmp
-
memory/696-165-0x0000000000000000-mapping.dmp
-
memory/768-112-0x0000000001F80000-0x0000000001F93000-memory.dmpFilesize
76KB
-
memory/768-105-0x0000000000000000-mapping.dmp
-
memory/956-57-0x0000000000000000-mapping.dmp
-
memory/1012-69-0x0000000000000000-mapping.dmp
-
memory/1080-101-0x0000000000000000-mapping.dmp
-
memory/1108-73-0x0000000000000000-mapping.dmp
-
memory/1112-95-0x0000000000000000-mapping.dmp
-
memory/1156-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1168-91-0x0000000000000000-mapping.dmp
-
memory/1340-97-0x0000000000000000-mapping.dmp
-
memory/1492-81-0x0000000000000000-mapping.dmp
-
memory/1528-75-0x0000000000000000-mapping.dmp
-
memory/1644-89-0x0000000000000000-mapping.dmp
-
memory/1648-70-0x0000000000000000-mapping.dmp
-
memory/1696-157-0x0000000000000000-mapping.dmp
-
memory/1712-143-0x0000000000000000-mapping.dmp
-
memory/1824-87-0x0000000000000000-mapping.dmp
-
memory/1948-65-0x0000000000000000-mapping.dmp
-
memory/1996-67-0x0000000000000000-mapping.dmp
-
memory/2000-63-0x0000000000000000-mapping.dmp
-
memory/2028-60-0x0000000000000000-mapping.dmp
-
memory/2036-153-0x0000000000000000-mapping.dmp