Analysis
-
max time kernel
116s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:55
Static task
static1
Behavioral task
behavioral1
Sample
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe
Resource
win10v2004-20220414-en
General
-
Target
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe
-
Size
10.4MB
-
MD5
2e94c71c928d5819a559fc1946e9a71f
-
SHA1
f16b2bf28d9be8b373e9bb1e42e345047d89377d
-
SHA256
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959
-
SHA512
f51a825c2d1d114c5384fba5cf7a8797e94083e0c98e14bb26b3a98060ca87899d56d1defe5d67cd703ac723a7e622fe9b16fdbaf1263acaa2b432ce266d881b
Malware Config
Extracted
C:\Program Files\OpenVPN\doc\openvpn.8.html
HREF="mailto:[email protected]">[email protected]</A></B>
HREF="mailto:[email protected]">[email protected]</A>
HREF="mailto:[email protected]">[email protected]</A>
HREF="mailto:[email protected]">[email protected]</A>>
HREF="mailto:[email protected]">[email protected]</A>>
http-proxy
Signatures
-
Drops file in Drivers directory 9 IoCs
Processes:
DrvInst.exeDrvInst.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\System32\drivers\SET11D2.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET6012.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET6012.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET6189.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File created C:\Windows\System32\drivers\SET11D2.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File created C:\Windows\System32\drivers\SET6189.tmp DrvInst.exe -
Executes dropped EXE 10 IoCs
Processes:
hidec.exedevcon64.exedevcon64.exeopenvpn-install-2.4.8-I602-Win10.exetap-windows.exetapinstall.exetapinstall.exeopenvpnserv.exeautoit3.exedevcon64.exepid process 2200 hidec.exe 4232 devcon64.exe 4504 devcon64.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2396 tap-windows.exe 3200 tapinstall.exe 2272 tapinstall.exe 4900 openvpnserv.exe 3472 autoit3.exe 4956 devcon64.exe -
Modifies Installed Components in the registry 2 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 41 IoCs
Processes:
openvpn-install-2.4.8-I602-Win10.exetap-windows.exepid process 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2396 tap-windows.exe 2396 tap-windows.exe 2396 tap-windows.exe 2396 tap-windows.exe 2396 tap-windows.exe 2396 tap-windows.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 32 IoCs
Processes:
DrvInst.exeDrvInst.exedevcon64.exetapinstall.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\SETD3E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\SETD50.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\SET5C2B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\SETD3F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\SETD3F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\SETD50.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\oemwin2k.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.PNF devcon64.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\SET5C1A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\SET5C2B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\SETD3E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\SET5C2C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{99d3eb6b-e16d-7742-b1e6-957691710580}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\SET5C1A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{26ffb0b9-6919-bc44-a9b2-efb8c0629a6d}\SET5C2C.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
Processes:
xcopy.exeopenvpn-install-2.4.8-I602-Win10.exetap-windows.exedescription ioc process File created C:\Program Files\OpenVPN\bin\tapadd.bat xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x32\oemwin2k.inf xcopy.exe File created C:\Program Files\OpenVPN\bin\openvpnserv.exe openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\sample-config\sample.ovpn openvpn-install-2.4.8-I602-Win10.exe File opened for modification C:\Program Files\OpenVPN\openvpn.ico xcopy.exe File created C:\Program Files\OpenVPN\bin\tapadd.cer xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x64 xcopy.exe File created C:\Program Files\OpenVPN\bin\tap\x64\tap0901.cat xcopy.exe File opened for modification C:\Program Files\OpenVPN\config\tyutumanova.ovpn xcopy.exe File created C:\Program Files\OpenVPN\bin\openvpnserv2.exe openvpn-install-2.4.8-I602-Win10.exe File opened for modification C:\Program Files\OpenVPN\hidec.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tapadd.au3 xcopy.exe File created C:\Program Files\OpenVPN\bin\tap\x32\oemwin2k.inf xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x32\tap0901.cat xcopy.exe File created C:\Program Files\OpenVPN\bin\tap\x32\tap0901.sys xcopy.exe File created C:\Program Files\OpenVPN\log\README.txt openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\TAP-Windows\driver\OemVista.inf tap-windows.exe File created C:\Program Files\OpenVPN\bin\liblzo2-2.dll openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\doc\INSTALL-win32.txt openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\TAP-Windows\Uninstall.exe tap-windows.exe File created C:\Program Files\OpenVPN\bin\openvpn-gui.exe openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\bin\openssl.exe openvpn-install-2.4.8-I602-Win10.exe File opened for modification C:\Program Files\OpenVPN\bin\autoit3.exe xcopy.exe File created C:\Program Files\OpenVPN\config\README.txt openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\TAP-Windows\license.txt tap-windows.exe File created C:\Program Files\OpenVPN\bin\devcon32.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tapadd.cer xcopy.exe File created C:\Program Files\OpenVPN\bin\tap\x32\tap0901.cat xcopy.exe File created C:\Program Files\TAP-Windows\bin\addtap.bat tap-windows.exe File created C:\Program Files\OpenVPN\doc\license.txt openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\sample-config\client.ovpn openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dll openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\bin\devcon64.exe xcopy.exe File created C:\Program Files\OpenVPN\bin\openvpn-run.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\openvpn-run.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x32 xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x32\tap0901.sys xcopy.exe File opened for modification C:\Program Files\OpenVPN\config xcopy.exe File created C:\Program Files\TAP-Windows\driver\tap0901.cat tap-windows.exe File created C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll openvpn-install-2.4.8-I602-Win10.exe File opened for modification C:\Program Files\OpenVPN\bin\tapadd.bat xcopy.exe File created C:\Program Files\OpenVPN\config\tyutumanova.ovpn xcopy.exe File created C:\Program Files\OpenVPN\doc\openvpn.8.html openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\TAP-Windows\driver\tap0901.sys tap-windows.exe File created C:\Program Files\TAP-Windows\bin\deltapall.bat tap-windows.exe File created C:\Program Files\TAP-Windows\icon.ico tap-windows.exe File created C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dll openvpn-install-2.4.8-I602-Win10.exe File opened for modification C:\Program Files\OpenVPN\bin\devcon64.exe xcopy.exe File created C:\Program Files\OpenVPN\bin\tap\x64\oemwin2k.inf xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x64\tap0901.sys xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin xcopy.exe File created C:\Program Files\OpenVPN\bin\autoit3.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tapdel.bat xcopy.exe File created C:\Program Files\OpenVPN\icon.ico openvpn-install-2.4.8-I602-Win10.exe File created C:\Program Files\OpenVPN\bin\tapdel.bat xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap xcopy.exe File created C:\Program Files\OpenVPN\bin\tap\x64\tap0901.sys xcopy.exe File created C:\Program Files\TAP-Windows\bin\tapinstall.exe tap-windows.exe File created C:\Program Files\OpenVPN\Uninstall.exe openvpn-install-2.4.8-I602-Win10.exe File opened for modification C:\Program Files\OpenVPN xcopy.exe File created C:\Program Files\OpenVPN\hidec.exe xcopy.exe File created C:\Program Files\OpenVPN\openvpn.ico xcopy.exe File opened for modification C:\Program Files\OpenVPN\bin\tap\x64\oemwin2k.inf xcopy.exe File created C:\Program Files\OpenVPN\bin\openvpn.exe openvpn-install-2.4.8-I602-Win10.exe -
Drops file in Windows directory 12 IoCs
Processes:
DrvInst.exeDrvInst.exetapinstall.exesvchost.exeDrvInst.exedevcon64.exeDrvInst.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon64.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win10.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win10.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\tap-windows.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeDrvInst.exesvchost.exeDrvInst.exetapinstall.exedevcon64.exedevcon64.exedevcon64.exeDrvInst.exetapinstall.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4864 taskkill.exe 4808 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeDrvInst.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe -
Modifies registry class 15 IoCs
Processes:
openvpn-install-2.4.8-I602-Win10.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File" openvpn-install-2.4.8-I602-Win10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "open" openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open openvpn-install-2.4.8-I602-Win10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file" openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command openvpn-install-2.4.8-I602-Win10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "notepad.exe \"%1\"" openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run openvpn-install-2.4.8-I602-Win10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\"" openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile openvpn-install-2.4.8-I602-Win10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\icon.ico,0" openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command openvpn-install-2.4.8-I602-Win10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile" openvpn-install-2.4.8-I602-Win10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell openvpn-install-2.4.8-I602-Win10.exe -
Processes:
devcon64.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
openvpn-install-2.4.8-I602-Win10.exepid process 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe 2100 openvpn-install-2.4.8-I602-Win10.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
taskkill.exesvchost.exetapinstall.exeDrvInst.exesvchost.exedevcon64.exeDrvInst.exesvchost.exeDrvInst.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4864 taskkill.exe Token: SeAuditPrivilege 4416 svchost.exe Token: SeSecurityPrivilege 4416 svchost.exe Token: SeLoadDriverPrivilege 2272 tapinstall.exe Token: SeRestorePrivilege 3880 DrvInst.exe Token: SeBackupPrivilege 3880 DrvInst.exe Token: SeLoadDriverPrivilege 3880 DrvInst.exe Token: SeLoadDriverPrivilege 3880 DrvInst.exe Token: SeLoadDriverPrivilege 3880 DrvInst.exe Token: SeShutdownPrivilege 3340 svchost.exe Token: SeCreatePagefilePrivilege 3340 svchost.exe Token: SeLoadDriverPrivilege 3340 svchost.exe Token: SeLoadDriverPrivilege 3340 svchost.exe Token: SeLoadDriverPrivilege 4956 devcon64.exe Token: SeRestorePrivilege 992 DrvInst.exe Token: SeBackupPrivilege 992 DrvInst.exe Token: SeLoadDriverPrivilege 992 DrvInst.exe Token: SeLoadDriverPrivilege 992 DrvInst.exe Token: SeLoadDriverPrivilege 992 DrvInst.exe Token: SeLoadDriverPrivilege 992 DrvInst.exe Token: SeShutdownPrivilege 2360 svchost.exe Token: SeCreatePagefilePrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 4956 devcon64.exe Token: SeRestorePrivilege 4252 DrvInst.exe Token: SeBackupPrivilege 4252 DrvInst.exe Token: SeLoadDriverPrivilege 4252 DrvInst.exe Token: SeLoadDriverPrivilege 4252 DrvInst.exe Token: SeLoadDriverPrivilege 4252 DrvInst.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeDebugPrivilege 4808 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exehidec.execmd.exeopenvpn-install-2.4.8-I602-Win10.exetap-windows.exedescription pid process target process PID 3472 wrote to memory of 2200 3472 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 3472 wrote to memory of 2200 3472 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 3472 wrote to memory of 2200 3472 ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe hidec.exe PID 2200 wrote to memory of 4200 2200 hidec.exe cmd.exe PID 2200 wrote to memory of 4200 2200 hidec.exe cmd.exe PID 2200 wrote to memory of 4200 2200 hidec.exe cmd.exe PID 4200 wrote to memory of 1968 4200 cmd.exe chcp.com PID 4200 wrote to memory of 1968 4200 cmd.exe chcp.com PID 4200 wrote to memory of 1968 4200 cmd.exe chcp.com PID 4200 wrote to memory of 4152 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 4152 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 4152 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 4956 4200 cmd.exe find.exe PID 4200 wrote to memory of 4956 4200 cmd.exe find.exe PID 4200 wrote to memory of 4956 4200 cmd.exe find.exe PID 4200 wrote to memory of 3128 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 3128 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 3128 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 3296 4200 cmd.exe find.exe PID 4200 wrote to memory of 3296 4200 cmd.exe find.exe PID 4200 wrote to memory of 3296 4200 cmd.exe find.exe PID 4200 wrote to memory of 4864 4200 cmd.exe taskkill.exe PID 4200 wrote to memory of 4864 4200 cmd.exe taskkill.exe PID 4200 wrote to memory of 4864 4200 cmd.exe taskkill.exe PID 4200 wrote to memory of 5084 4200 cmd.exe PING.EXE PID 4200 wrote to memory of 5084 4200 cmd.exe PING.EXE PID 4200 wrote to memory of 5084 4200 cmd.exe PING.EXE PID 4200 wrote to memory of 4232 4200 cmd.exe devcon64.exe PID 4200 wrote to memory of 4232 4200 cmd.exe devcon64.exe PID 4200 wrote to memory of 4504 4200 cmd.exe devcon64.exe PID 4200 wrote to memory of 4504 4200 cmd.exe devcon64.exe PID 4200 wrote to memory of 4012 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4012 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4012 4200 cmd.exe reg.exe PID 4200 wrote to memory of 2172 4200 cmd.exe reg.exe PID 4200 wrote to memory of 2172 4200 cmd.exe reg.exe PID 4200 wrote to memory of 2172 4200 cmd.exe reg.exe PID 4200 wrote to memory of 3832 4200 cmd.exe reg.exe PID 4200 wrote to memory of 3832 4200 cmd.exe reg.exe PID 4200 wrote to memory of 3832 4200 cmd.exe reg.exe PID 4200 wrote to memory of 552 4200 cmd.exe reg.exe PID 4200 wrote to memory of 552 4200 cmd.exe reg.exe PID 4200 wrote to memory of 552 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4404 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4404 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4404 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4016 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4016 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4016 4200 cmd.exe reg.exe PID 4200 wrote to memory of 772 4200 cmd.exe reg.exe PID 4200 wrote to memory of 772 4200 cmd.exe reg.exe PID 4200 wrote to memory of 772 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4500 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4500 4200 cmd.exe reg.exe PID 4200 wrote to memory of 4500 4200 cmd.exe reg.exe PID 4200 wrote to memory of 2100 4200 cmd.exe openvpn-install-2.4.8-I602-Win10.exe PID 4200 wrote to memory of 2100 4200 cmd.exe openvpn-install-2.4.8-I602-Win10.exe PID 4200 wrote to memory of 2100 4200 cmd.exe openvpn-install-2.4.8-I602-Win10.exe PID 2100 wrote to memory of 2396 2100 openvpn-install-2.4.8-I602-Win10.exe tap-windows.exe PID 2100 wrote to memory of 2396 2100 openvpn-install-2.4.8-I602-Win10.exe tap-windows.exe PID 2100 wrote to memory of 2396 2100 openvpn-install-2.4.8-I602-Win10.exe tap-windows.exe PID 2396 wrote to memory of 3200 2396 tap-windows.exe tapinstall.exe PID 2396 wrote to memory of 3200 2396 tap-windows.exe tapinstall.exe PID 2396 wrote to memory of 2272 2396 tap-windows.exe tapinstall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe"C:\Users\Admin\AppData\Local\Temp\ad7d30c0b2d86aca849b3c7b6ca343386f8083a02b7d1cedecf6a36f8da3c959.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp.com 8664⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver.exe 2>nul"4⤵
-
C:\Windows\SysWOW64\find.exefind.exe " 6."4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver.exe 2>nul"4⤵
-
C:\Windows\SysWOW64\find.exefind.exe " 5."4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "devcon32.exe" /IM "devcon64.exe" /IM "tap-windows.exe" /IM "openvpn-run.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping.exe 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" remove "tap0901"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" remove "tap0801"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\.ovpn" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\OpenVPN" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F4⤵
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win10.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win10.exe" /S4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe"C:\Users\Admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap09016⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap09016⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\\tapadd.cer"4⤵
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\autoit3.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\autoit3.exe" "tapadd.au3"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\tap\x64\oemwin2k.inf" "tap0901"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind.exe /I "successfully"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S5⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0002" /V "Characteristics" /T REG_DWORD /D "0x89" /F4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0003" /V "Characteristics" /T REG_DWORD /D "0x89" /F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "autoit3.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\xcopy.exexcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"4⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exeforfiles.exe /C "C:\Windows\system32\cmd.exe /C if @isdir==TRUE ( rmdir /S /Q @path )" /M "OpenVPN"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C if TRUE==TRUE ( rmdir /S /Q "C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OpenVPN" )5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles.exe /C "C:\Windows\system32\cmd.exe /C if @isdir==FALSE ( del /A /F /Q @path )" /M "OpenVPN GUI.lnk"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C if FALSE==FALSE ( del /A /F /Q "C:\Users\Public\Desktop\OpenVPN GUI.lnk" )5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles.exe /C "C:\Windows\system32\cmd.exe /C if @isdir==TRUE ( rmdir /S /Q @path )" /M "TAP-Windows"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C if TRUE==TRUE ( rmdir /S /Q "C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\TAP-Windows" )5⤵
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\bin\openvpn-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-клиент" "C:\Program Files\OpenVPN\openvpn.ico"4⤵
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\bin\openvpn-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-клиент" "C:\Program Files\OpenVPN\openvpn.ico"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 114⤵
- Runs ping.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5869e911-d81e-6945-89fc-8e4d887245dd}\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000158" "208" "c:\program files\tap-windows\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "0000000000000178"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7c079daf-588b-8c4e-a236-7bc975174140}\oemwin2k.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000188" "208" "c:\users\admin\appdata\local\temp\openvpn\files\bin\tap\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000158"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000190"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\OpenVPN\bin\openvpnserv.exe"C:\Program Files\OpenVPN\bin\openvpnserv.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
495KB
MD5e313336c82eb265542664cc7a360c5ff
SHA1184211a456e09ac606db76f814332cc912c0f5eb
SHA256b6b33f4cd19c606e4c616f08c11fd4ae775accb24b78ef66eb31c279ca403381
SHA512f156f2f55af7026f5b3d2c5634806c5764fd230521d71969e80bbf6f6571730636dd5f6fe6c1138fa742e12003e5cc5f7d82e729ef7506057f8b510384e52386
-
C:\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
495KB
MD5e313336c82eb265542664cc7a360c5ff
SHA1184211a456e09ac606db76f814332cc912c0f5eb
SHA256b6b33f4cd19c606e4c616f08c11fd4ae775accb24b78ef66eb31c279ca403381
SHA512f156f2f55af7026f5b3d2c5634806c5764fd230521d71969e80bbf6f6571730636dd5f6fe6c1138fa742e12003e5cc5f7d82e729ef7506057f8b510384e52386
-
C:\Program Files\TAP-Windows\bin\tapinstall.exeFilesize
495KB
MD5e313336c82eb265542664cc7a360c5ff
SHA1184211a456e09ac606db76f814332cc912c0f5eb
SHA256b6b33f4cd19c606e4c616f08c11fd4ae775accb24b78ef66eb31c279ca403381
SHA512f156f2f55af7026f5b3d2c5634806c5764fd230521d71969e80bbf6f6571730636dd5f6fe6c1138fa742e12003e5cc5f7d82e729ef7506057f8b510384e52386
-
C:\Program Files\TAP-Windows\driver\OemVista.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exeFilesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\tapdel.batFilesize
493B
MD520be78849f16f8008914d8146b5a06f3
SHA17025a9cf11277fcafb527a1b6bd72fa9e467d6e2
SHA256fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2
SHA5120f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exeFilesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.batFilesize
7KB
MD5ed3f4bc5af7893b0e6f216bd121e148c
SHA11f303d8b108136b24a392db7d378123524fd5298
SHA25636d7262e86c846fea6328974b352ee468fb18d79bef829b238800fb3f40c1a3f
SHA512a0736861c71ad16c5594cad54139be7fb84349519d330814aa7d250754c0c466152a5745a2ab0bd184f287656759d5820a7ec777d697a8997d53894b978eec27
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win10.exeFilesize
4.1MB
MD56213c12277d643e14451a44a410d2688
SHA19c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d
SHA256d8f861de1519c680c4e506b4e08b4d80db7c385a4ccc2fcc56e2278d41c1cabe
SHA5126a2ef83c8d4f42cd39ad0e9c09c7a1deabb857f413243ddc18710f6128047e26d7bd0fba2a0b62414bd3aa8385dcb4af1fddc6c3494cf4a6c6696900dee4bea1
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win10.exeFilesize
4.1MB
MD56213c12277d643e14451a44a410d2688
SHA19c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d
SHA256d8f861de1519c680c4e506b4e08b4d80db7c385a4ccc2fcc56e2278d41c1cabe
SHA5126a2ef83c8d4f42cd39ad0e9c09c7a1deabb857f413243ddc18710f6128047e26d7bd0fba2a0b62414bd3aa8385dcb4af1fddc6c3494cf4a6c6696900dee4bea1
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\SimpleSC.dllFilesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\System.dllFilesize
23KB
MD52e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\System.dllFilesize
23KB
MD52e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\UserInfo.dllFilesize
6KB
MD59f0cb655a832fdecb9433dd781004637
SHA1bea6b32a5d2d6d152a52847db1184fab956a9d3b
SHA256a94fd67daf9137b26e2d98aa4cf46614439bd64263c5c211369a232c444862ea
SHA5125fd32197a5d9bb7cc65e3917791023fbe2b80a34899d4363475a7fb05fb1051c0a17c72359f3c215d0fd41bbb2dfed0bb95c766131fc175c18ac91cf54b05551
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\nsExec.dllFilesize
9KB
MD51139fb5cc942e668c8277f8b8f1e5f20
SHA194bbb2454dad420b70553c0fca4899f120d3ed43
SHA2569cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb
SHA51208e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0
-
C:\Users\Admin\AppData\Local\Temp\nsnF5FF.tmp\nsProcess.dllFilesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\ShellLink.dllFilesize
4KB
MD5aad75be0bdd1f1bac758b521c9f1d022
SHA15d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA5124c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\ShellLink.dllFilesize
4KB
MD5aad75be0bdd1f1bac758b521c9f1d022
SHA15d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA5124c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\UserInfo.dllFilesize
4KB
MD57836f464ae0102452e94a363b491b759
SHA159909a48448b99e2eb9cd336d81d60764da59f31
SHA25611adf8916947b5a20a071b494fa034cf62769dcc6293a1340b29a5bb29ac8e87
SHA5125ed63eefa1b3b3caad4cb762ccb8419c05bcad3da3a7415235cda2d2a1f79eb018503ca30a0a92d6b72160327decea9a70c48e0c28de94dd67303d4aea4a02db
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\nsExec.dllFilesize
6KB
MD550ba20cad29399e2db9fa75a1324bd1d
SHA13850634bb15a112623222972ef554c8d1eca16f4
SHA256e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc
SHA512893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\nsExec.dllFilesize
6KB
MD550ba20cad29399e2db9fa75a1324bd1d
SHA13850634bb15a112623222972ef554c8d1eca16f4
SHA256e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc
SHA512893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754
-
C:\Users\Admin\AppData\Local\Temp\tap-windows.exeFilesize
574KB
MD5ceaf53b33e459cd4d30db5dfca3455e1
SHA12dc03ec37fa11783f1d1965961a93237cde12f69
SHA2561782d56568092e8fba575fe7e11b2e86f04518f40a18a4ce594bd1209e0cb547
SHA512dc331bc2cca943985150b892cf9369da78c627c68b75bd883e08f2ffcfddb349ec864ff2195b9b85ade7d6474751b3e156c10d38b996441dad31e9e026adc17f
-
C:\Users\Admin\AppData\Local\Temp\tap-windows.exeFilesize
574KB
MD5ceaf53b33e459cd4d30db5dfca3455e1
SHA12dc03ec37fa11783f1d1965961a93237cde12f69
SHA2561782d56568092e8fba575fe7e11b2e86f04518f40a18a4ce594bd1209e0cb547
SHA512dc331bc2cca943985150b892cf9369da78c627c68b75bd883e08f2ffcfddb349ec864ff2195b9b85ade7d6474751b3e156c10d38b996441dad31e9e026adc17f
-
C:\Users\Admin\AppData\Local\Temp\{5869E~1\tap0901.catFilesize
10KB
MD5225e7ba0e5e2d46813e5c858a4d0d5b0
SHA15dd49014764f634164520583fd0cec87ab1a1625
SHA256b0baf5cb84fa4acb34b77a6231052061da6b8676d216833724b7a602622161fb
SHA5129c77adf7e71aca94489dfeb536f796a017b7c05771962274bae2c614e2ae6799cceb36cc58ac470184c37f52deac75988bb14e6a329f432c6d7cedbca18272a8
-
C:\Users\Admin\AppData\Local\Temp\{5869E~1\tap0901.sysFilesize
38KB
MD5059e578d456043a8c3b76ec365b375f3
SHA142189b6a1b8c736397113bfc2283f5e1e1a44e8e
SHA256a0170cf78105ce757e0549d79e4ae7c412240e8b81d262a24d76a047f181f881
SHA51299e6b6af018d0e3509d9dbe00301a7d5d6645a2070a8144acff04842f8bbaccd81e7651578d08f47639cd2b7d00eb64acddfa8725bce9a073580b7fcf7964e6a
-
C:\Users\Admin\AppData\Local\Temp\{5869e911-d81e-6945-89fc-8e4d887245dd}\oemvista.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
C:\Windows\INF\oem2.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
C:\Windows\System32\DriverStore\FileRepository\OEMVIS~1.INF\tap0901.sysFilesize
38KB
MD5059e578d456043a8c3b76ec365b375f3
SHA142189b6a1b8c736397113bfc2283f5e1e1a44e8e
SHA256a0170cf78105ce757e0549d79e4ae7c412240e8b81d262a24d76a047f181f881
SHA51299e6b6af018d0e3509d9dbe00301a7d5d6645a2070a8144acff04842f8bbaccd81e7651578d08f47639cd2b7d00eb64acddfa8725bce9a073580b7fcf7964e6a
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.infFilesize
7KB
MD550d29ca2e3ddb8a696923420ec2ac4fa
SHA1d85f4e65fe10f13ded1780ddbd074edfc75f2d25
SHA256817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b
SHA51203778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3
-
\??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sysFilesize
38KB
MD5059e578d456043a8c3b76ec365b375f3
SHA142189b6a1b8c736397113bfc2283f5e1e1a44e8e
SHA256a0170cf78105ce757e0549d79e4ae7c412240e8b81d262a24d76a047f181f881
SHA51299e6b6af018d0e3509d9dbe00301a7d5d6645a2070a8144acff04842f8bbaccd81e7651578d08f47639cd2b7d00eb64acddfa8725bce9a073580b7fcf7964e6a
-
\??\c:\program files\tap-windows\driver\tap0901.catFilesize
10KB
MD5225e7ba0e5e2d46813e5c858a4d0d5b0
SHA15dd49014764f634164520583fd0cec87ab1a1625
SHA256b0baf5cb84fa4acb34b77a6231052061da6b8676d216833724b7a602622161fb
SHA5129c77adf7e71aca94489dfeb536f796a017b7c05771962274bae2c614e2ae6799cceb36cc58ac470184c37f52deac75988bb14e6a329f432c6d7cedbca18272a8
-
memory/552-151-0x0000000000000000-mapping.dmp
-
memory/772-244-0x0000000000000000-mapping.dmp
-
memory/772-154-0x0000000000000000-mapping.dmp
-
memory/992-239-0x0000000000000000-mapping.dmp
-
memory/1044-246-0x0000000000000000-mapping.dmp
-
memory/1408-254-0x0000000000000000-mapping.dmp
-
memory/1556-237-0x0000000000000000-mapping.dmp
-
memory/1640-238-0x0000000000000000-mapping.dmp
-
memory/1708-255-0x0000000000000000-mapping.dmp
-
memory/1732-242-0x0000000000000000-mapping.dmp
-
memory/1920-223-0x0000000000000000-mapping.dmp
-
memory/1968-135-0x0000000000000000-mapping.dmp
-
memory/2100-156-0x0000000000000000-mapping.dmp
-
memory/2100-164-0x00000000007C0000-0x00000000007D3000-memory.dmpFilesize
76KB
-
memory/2108-252-0x0000000000000000-mapping.dmp
-
memory/2172-149-0x0000000000000000-mapping.dmp
-
memory/2200-130-0x0000000000000000-mapping.dmp
-
memory/2272-218-0x0000000000000000-mapping.dmp
-
memory/2292-249-0x0000000000000000-mapping.dmp
-
memory/2396-206-0x0000000000000000-mapping.dmp
-
memory/2788-241-0x0000000000000000-mapping.dmp
-
memory/3080-247-0x0000000000000000-mapping.dmp
-
memory/3128-138-0x0000000000000000-mapping.dmp
-
memory/3136-250-0x0000000000000000-mapping.dmp
-
memory/3200-214-0x0000000000000000-mapping.dmp
-
memory/3296-139-0x0000000000000000-mapping.dmp
-
memory/3472-235-0x0000000000000000-mapping.dmp
-
memory/3676-253-0x0000000000000000-mapping.dmp
-
memory/3832-150-0x0000000000000000-mapping.dmp
-
memory/3880-228-0x0000000000000000-mapping.dmp
-
memory/4012-148-0x0000000000000000-mapping.dmp
-
memory/4016-153-0x0000000000000000-mapping.dmp
-
memory/4016-243-0x0000000000000000-mapping.dmp
-
memory/4152-136-0x0000000000000000-mapping.dmp
-
memory/4164-248-0x0000000000000000-mapping.dmp
-
memory/4200-133-0x0000000000000000-mapping.dmp
-
memory/4232-143-0x0000000000000000-mapping.dmp
-
memory/4252-240-0x0000000000000000-mapping.dmp
-
memory/4272-251-0x0000000000000000-mapping.dmp
-
memory/4404-152-0x0000000000000000-mapping.dmp
-
memory/4500-155-0x0000000000000000-mapping.dmp
-
memory/4504-146-0x0000000000000000-mapping.dmp
-
memory/4512-234-0x0000000000000000-mapping.dmp
-
memory/4808-245-0x0000000000000000-mapping.dmp
-
memory/4864-140-0x0000000000000000-mapping.dmp
-
memory/4956-137-0x0000000000000000-mapping.dmp
-
memory/4956-236-0x0000000000000000-mapping.dmp
-
memory/5084-141-0x0000000000000000-mapping.dmp