ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9

Analysis

max time kernel
50s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe
Size

10.4MB
MD5

51fc6af2fca0debc1b2a9cd657c51f08
SHA1

717598e0090355ea6879466379672318f32f0338
SHA256

ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9
SHA512

b98935bfa8b76c503e41cd1040c95dde20b6cbd15ed1c90656725098c2d48afcf7ba65d19e6fe6287622dec9b5bb39c2a9e6dd2c0fab8136ad3dbc1874d122a4

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files\OpenVPN\doc\openvpn.8.html

Ransom Note

Content-type: text/html; charset=UTF-8 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML><HEAD><TITLE>Man page of openvpn</TITLE> </HEAD><BODY> <H1>openvpn</H1> Section: Maintenance Commands (8) Updated: 28 February 2018 <A HREF="#index">Index</A> <A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR> <A NAME="lbAB"> </A> <H2>NAME</H2> openvpn - secure IP tunnel daemon. <A NAME="lbAC"> </A> <H2>SYNOPSIS</H2> openvpn [ options ... ] <A NAME="lbAD"> </A> <H2>INTRODUCTION</H2> OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file. Also note that there's more documentation and examples on the OpenVPN web site: <A HREF="http://openvpn.net/">http://openvpn.net/</A> And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running openvpn without any parameters. <A NAME="lbAE"> </A> <H2>DESCRIPTION</H2> OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms. OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels. OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint. <A NAME="lbAF"> </A> <H2>OPTIONS</H2> OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file. <DL COMPACT> <DT>--help <DD> Show options. <DT>--config file <DD> Load additional config options from file where each line corresponds to one command line option, but with the leading '--' removed. If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file Note that configuration files can be nested to a reasonable depth. Double quotation or single quotation characters ("", '') can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments. Note that OpenVPN 2.0 and higher performs backslash-based shell escaping for characters not in single quotations, so the following mappings should be observed: <PRE> \\ Maps to a single backslash character (\). \" Pass a literal doublequote character ("), don't interpret it as enclosing a parameter. \[SPACE] Pass a literal space or tab character, don't interpret it as a parameter delimiter. </PRE> For example on Windows, use double backslashes to represent pathnames: <PRE> secret "c:\\OpenVPN\\secret.key" </PRE> For examples of configuration files, see <A HREF="http://openvpn.net/examples.html">http://openvpn.net/examples.html</A> Here is an example configuration file: <PRE> # # Sample OpenVPN configuration file for # using a pre-shared static key. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. dev tun # Our remote peer remote mypeer.mydomain # 10.1.0.1 is our local VPN endpoint # 10.1.0.2 is our remote VPN endpoint ifconfig 10.1.0.1 10.1.0.2 # Our pre-shared static key secret static.key </PRE> </DL> <A NAME="lbAG"> </A> <H3>Tunnel Options:</H3> <DL COMPACT> <DT>--mode m <DD> Set OpenVPN major mode. By default, OpenVPN runs in point-to-point mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which implements a multi-client server capability. <DT>--local host <DD> Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. <DT>--remote host [port] [proto] <DD> Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature. See the <connection> documentation below. The OpenVPN client will try to connect to a server at host:port in the order specified by the list of --remote options. proto indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp". For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like udp4/udp6/tcp4/tcp6. The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client will at most be connected to one server. Note that since UDP is connectionless, connection failure is defined by the --ping and --ping-restart options. Note the following corner case: If you use multiple --remote options, AND you are dropping root privileges on the client with --user and/or --group, AND the client is running a non-Windows OS, if the client needs to switch to a different server, and that server pushes back different TUN/TAP or route settings, the client may lack the necessary privileges to close and reopen the TUN/TAP interface. This could cause the client to exit with a fatal error. If --remote is unspecified, OpenVPN will listen for packets from any IP address, but will not act on those packets unless they pass all authentication tests. This requirement for authentication is binding on all potential peers, even those from known and supposedly trusted IP addresses (it is very easy to forge a source IP address on a UDP packet). When used in TCP mode, --remote will act as a filter, rejecting connections from any host which does not match host. If host is a DNS name which resolves to multiple IP addresses, OpenVPN will try them in the order that the system getaddrinfo() presents them, so priorization and DNS randomization is done by the system library. Unless an IP version is forced by the protocol specification (4/6 suffix), OpenVPN will try both IPv4 and IPv6 addresses, in the order getaddrinfo() returns them. <DT>--remote-random-hostname <DD> Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.bar.gov" would be modified to "<random-chars>.foo.bar.gov". <DT><connection> <DD> Define a client connection profile. Client connection profiles are groups of OpenVPN options that describe how to connect to a given OpenVPN server. Client connection profiles are specified within an OpenVPN configuration file, and each profile is bracketed by <connection> and </connection>. An OpenVPN client will try each connection profile sequentially until it achieves a successful connection. --remote-random can be used to initially "scramble" the connection list. Here is an example of connection profile usage: <PRE> client dev tun <connection> remote 198.19.34.56 1194 udp </connection> <connection> remote 198.19.34.56 443 tcp </connection> <connection> remote 198.19.34.56 443 tcp http-proxy 192.168.0.8 8080 </connection> <connection> remote 198.19.36.99 443 tcp http-proxy 192.168.0.8 8080 </connection> persist-key persist-tun pkcs12 client.p12 remote-cert-tls server verb 3 </PRE> First we try to connect to a server at 198.19.34.56:1194 using UDP. If that fails, we then try to connect to 198.19.34.56:443 using TCP. If that also fails, then try connecting through an HTTP proxy at 192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to connect through the same proxy to a server at 198.19.36.99:443 using TCP. The following OpenVPN options may be used inside of a <connection> block: bind, connect-retry, connect-retry-max, connect-timeout, explicit-exit-notify, float, fragment, http-proxy, http-proxy-option, link-mtu, local, lport, mssfix, mtu-disc, nobind, port, proto, remote, rport, socks-proxy, tun-mtu and tun-mtu-extra. A defaulting mechanism exists for specifying options to apply to all <connection> profiles. If any of the above options (with the exception of remote ) appear outside of a <connection> block, but in a configuration file which has one or more <connection> blocks, the option setting will be used as a default for <connection> blocks which follow it in the configuration file. For example, suppose the nobind option were placed in the sample configuration file above, near the top of the file, before the first <connection> block. The effect would be as if nobind were declared in all <connection> blocks below it. <DT>--proto-force p <DD> When iterating through connection profiles, only consider profiles using protocol p ('tcp'|'udp'). <DT>--remote-random <DD> When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure. <DT>--proto p <DD> Use protocol p for communicating with remote host. p can be udp, tcp-client, or tcp-server. The default protocol is udp when --proto is not specified. For UDP operation, --proto udp should be specified on both peers. For TCP operation, one peer must use --proto tcp-server and the other must use --proto tcp-client. A peer started with tcp-server will wait indefinitely for an incoming connection. A peer started with tcp-client will attempt to connect, and if that fails, will sleep for 5 seconds (adjustable via the --connect-retry option) and try again infinite or up to N retries (adjustable via the --connect-retry-max option). Both TCP client and server will simulate a SIGUSR1 restart signal if either side resets the connection. OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks. This article outlines some of problems with tunneling IP over TCP: <A HREF="http://sites.inka.de/sites/bigred/devel/tcp-tcp.html">http://sites.inka.de/sites/bigred/devel/tcp-tcp.html</A> There are certain cases, however, where using TCP may be advantageous from a security and robustness perspective, such as tunneling non-IP or application-level UDP protocols, or tunneling protocols which don't possess a built-in reliability layer. <DT>--connect-retry n [max] <DD> Wait n seconds between connection attempts (default=5). Repeated reconnection attempts are slowed down after 5 retries per remote by doubling the wait time after each unsuccessful attempt. The optional argument max specifies the maximum value of wait time in seconds at which it gets capped (default=300). <DT>--connect-retry-max n <DD> n specifies the number of times each --remote or <connection> entry is tried. Specifying n as one would try each entry exactly once. A successful connection resets the counter. (default=unlimited). <DT>--show-proxy-settings <DD> Show sensed HTTP or SOCKS proxy settings. Currently, only Windows clients support this option. <DT>--http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method] <DD> Connect to remote host through an HTTP proxy at address server and port port. If HTTP Proxy-Authenticate is required, authfile is a file containing a username and password on 2 lines, or "stdin" to prompt from console. Its content can also be specified in the config file with the --http-proxy-user-pass option. (See section on inline files) auth-method should be one of "none", "basic", or "ntlm". HTTP Digest authentication is supported as well, but only via the auto or auto-nct flags (below). The auto flag causes OpenVPN to automatically determine the auth-method and query stdin or the management interface for username/password credentials, if required. This flag exists on OpenVPN 2.1 or higher. The auto-nct flag (no clear-text auth) instructs OpenVPN to automatically determine the authentication method, but to reject weak authentication protocols such as HTTP Basic Authentication. <DT>--http-proxy-option type [parm] <DD> Set extended HTTP proxy options. Repeat to set multiple options. VERSION version -- Set HTTP version number to version (default=1.0). AGENT user-agent -- Set HTTP "User-Agent" string to user-agent. CUSTOM-HEADER name content -- Adds the custom Header with name as name and content as the content of the custom HTTP header. <DT>--socks-proxy server [port] [authfile] <DD> Connect to remote host through a Socks5 proxy at address server and port port (default=1080). authfile (optional) is a file containing a username and password on 2 lines, or "stdin" to prompt from console. <DT>--resolv-retry n <DD> If hostname resolve fails for --remote, retry resolve for n seconds before failing. Set n to "infinite" to retry indefinitely. By default, --resolv-retry infinite is enabled. You can disable by setting n=0. <DT>--float <DD> Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client. Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option. <DT>--ipchange cmd <DD> Run command cmd when our remote ip-address is initially authenticated or changes. cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces. When cmd is executed two arguments are appended after any arguments specified in cmd , as follows: cmd ip_address port_number Don't use --ipchange in --mode server mode. Use a --client-connect script instead. See

Emails

HREF="mailto:[email protected]">[email protected]</A>

HREF="mailto:[email protected]">[email protected]</A>

HREF="mailto:[email protected]">[email protected]</A>&gt

URLs

http-proxy

Signatures

Executes dropped EXE 7 IoCs

Processes:

hidec.exedevcon64.exedevcon64.exeopenvpn-install-2.4.8-I602-Win7.exetap-windows.exetapinstall.exetapinstall.exe

pid process

1432 hidec.exe
1856 devcon64.exe
524 devcon64.exe
1512 openvpn-install-2.4.8-I602-Win7.exe
904 tap-windows.exe
1588 tapinstall.exe
1696 tapinstall.exe

pid	process
1432	hidec.exe
1856	devcon64.exe
524	devcon64.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
904	tap-windows.exe
1588	tapinstall.exe
1696	tapinstall.exe

Loads dropped DLL 36 IoCs

Processes:

ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.execmd.exeopenvpn-install-2.4.8-I602-Win7.exetap-windows.exe

pid	process
1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe
1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe
2044	cmd.exe
2044	cmd.exe
2044	cmd.exe
2044	cmd.exe
2044	cmd.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
904	tap-windows.exe
904	tap-windows.exe
904	tap-windows.exe
904	tap-windows.exe
904	tap-windows.exe
904	tap-windows.exe
904	tap-windows.exe
904	tap-windows.exe

Drops file in System32 directory 9 IoCs

Processes:

DrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\SETBC6F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\SETBC6E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\SETBC6E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\SETBC6F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\SETBC6D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\SETBC6D.tmp	DrvInst.exe

Drops file in Program Files directory 18 IoCs

Processes:

openvpn-install-2.4.8-I602-Win7.exetap-windows.exe

description	ioc	process
File created	C:\Program Files\OpenVPN\sample-config\sample.ovpn	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv2.exe	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.cat	tap-windows.exe
File created	C:\Program Files\TAP-Windows\bin\deltapall.bat	tap-windows.exe
File created	C:\Program Files\TAP-Windows\license.txt	tap-windows.exe
File created	C:\Program Files\TAP-Windows\icon.ico	tap-windows.exe
File created	C:\Program Files\OpenVPN\doc\INSTALL-win32.txt	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\OpenVPN\doc\openvpn.8.html	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.sys	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv.exe	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\OpenVPN\log\README.txt	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\TAP-Windows\driver\OemVista.inf	tap-windows.exe
File created	C:\Program Files\TAP-Windows\bin\addtap.bat	tap-windows.exe
File created	C:\Program Files\OpenVPN\sample-config\client.ovpn	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\OpenVPN\sample-config\server.ovpn	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\TAP-Windows\bin\tapinstall.exe	tap-windows.exe
File created	C:\Program Files\OpenVPN\bin\openvpn.exe	openvpn-install-2.4.8-I602-Win7.exe
File created	C:\Program Files\OpenVPN\config\README.txt	openvpn-install-2.4.8-I602-Win7.exe

Drops file in Windows directory 3 IoCs

Processes:

DrvInst.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 9 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1104 taskkill.exe

pid	process
1104	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1676 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

openvpn-install-2.4.8-I602-Win7.exe

pid process

1512 openvpn-install-2.4.8-I602-Win7.exe
1512 openvpn-install-2.4.8-I602-Win7.exe
1512 openvpn-install-2.4.8-I602-Win7.exe

pid	process
1676	PING.EXE

pid	process
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe
1512	openvpn-install-2.4.8-I602-Win7.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetapinstall.exeDrvInst.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1696	tapinstall.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	1784	DrvInst.exe
Token: SeRestorePrivilege	2020	rundll32.exe
Token: SeRestorePrivilege	2020	rundll32.exe
Token: SeRestorePrivilege	2020	rundll32.exe
Token: SeRestorePrivilege	2020	rundll32.exe
Token: SeRestorePrivilege	2020	rundll32.exe
Token: SeRestorePrivilege	2020	rundll32.exe
Token: SeRestorePrivilege	2020	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exehidec.execmd.exe

description	pid	process	target process
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1872 wrote to memory of 1432	1872	ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe	hidec.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 1432 wrote to memory of 2044	1432	hidec.exe	cmd.exe
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1284	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 948	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 944	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 896	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 2016	2044	cmd.exe	find.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1104	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1676	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1856	2044	cmd.exe	devcon64.exe

C:\Users\Admin\AppData\Local\Temp\ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe
"C:\Users\Admin\AppData\Local\Temp\ab4a399d20b831bbec26573ce82b72c6d71b7e978accd943cf26e3a75d3e87a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\chcp.com
chcp.com 866
4⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver.exe 2>nul"
4⤵
PID:948

C:\Windows\SysWOW64\find.exe
find.exe " 6."
4⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver.exe 2>nul"
4⤵
PID:896

C:\Windows\SysWOW64\find.exe
find.exe " 5."
4⤵
PID:2016

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "devcon32.exe" /IM "devcon64.exe" /IM "tap-windows.exe" /IM "openvpn-run.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\PING.EXE
ping.exe 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1676

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" remove "tap0901"
4⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe" remove "tap0801"
4⤵
- Executes dropped EXE
PID:524

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F
4⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\OpenVPN" /F
4⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F
4⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F
4⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F
4⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\.ovpn" /F
4⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\OpenVPN" /F
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F
4⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe" /S
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
"C:\Users\Admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:904

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
6⤵
- Executes dropped EXE
PID:1588

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{54e65ac9-2c06-6fb6-8cc1-305d17fab471}\oemvista.inf" "9" "6d14a44ff" "00000000000004A8" "WinSta0\Default" "0000000000000594" "208" "c:\program files\tap-windows\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2c976918-8d3f-31ac-34d5-875dcc249c04} Global\{52cbd670-78a1-6f27-c33e-8e080c96ff65} C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\tap0901.cat
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TAP-Windows\bin\tapinstall.exe
Filesize
486KB

MD5
f19cffff76ff48e98f060a563dd8345b

SHA1
c77f3fe9ffba02de288661fbb66656791196edbc

SHA256
16d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70

SHA512
0d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841

Download Submit
C:\Program Files\TAP-Windows\bin\tapinstall.exe
Filesize
486KB

MD5
f19cffff76ff48e98f060a563dd8345b

SHA1
c77f3fe9ffba02de288661fbb66656791196edbc

SHA256
16d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70

SHA512
0d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841

Download Submit
C:\Program Files\TAP-Windows\driver\OemVista.inf
Filesize
7KB

MD5
50d29ca2e3ddb8a696923420ec2ac4fa

SHA1
d85f4e65fe10f13ded1780ddbd074edfc75f2d25

SHA256
817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b

SHA512
03778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\tapdel.bat
Filesize
493B

MD5
20be78849f16f8008914d8146b5a06f3

SHA1
7025a9cf11277fcafb527a1b6bd72fa9e467d6e2

SHA256
fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2

SHA512
0f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.bat
Filesize
7KB

MD5
f3016c2cb0997158a76b6d5c6f2c4aab

SHA1
654ebbde8cb295f79e265c4bcfe79fd2e5fcb335

SHA256
ccc338c1528ce628db9053bafc6c55c79d364f6ebd397e3057618ac73c5a8a6b

SHA512
7abb64fba592571e03b3ea62fa05256c317fd4cd759558866eb6494b2a8703e2fb41c5afd8ddc4fb8bef00f6a2b158471a4425edac6d21ec26ab4a42dd5545f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe
Filesize
4.1MB

MD5
73bcd5b6a0208d953a38ed74fdef5ff1

SHA1
8c9f28d7bdbb4613777a9741809e34b91fd45a0f

SHA256
16165e4505874e71c9fe732041274c3ce10e0881dfeeece529e8b54c5b558296

SHA512
f599a4e25a9c48642c6bae94d13396222b93bcda0aa5efd2cd16557bb64fc967dcf54a6a8445824db1c420af0f8dcde31fb0bc3a96134720d0d08b52f0967ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe
Filesize
4.1MB

MD5
73bcd5b6a0208d953a38ed74fdef5ff1

SHA1
8c9f28d7bdbb4613777a9741809e34b91fd45a0f

SHA256
16165e4505874e71c9fe732041274c3ce10e0881dfeeece529e8b54c5b558296

SHA512
f599a4e25a9c48642c6bae94d13396222b93bcda0aa5efd2cd16557bb64fc967dcf54a6a8445824db1c420af0f8dcde31fb0bc3a96134720d0d08b52f0967ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
Filesize
561KB

MD5
df2dfcd6d8a69c2799a43baf80d34047

SHA1
f0fd7873544739a0cac4cf93e446efe629c00668

SHA256
35cfa71fe2952192c13cbbd8a2f3f62a6486af406008e654646ea1d823928d46

SHA512
e4d7aab39539c7020538a5d26554e52fb23a365d6b8276a10ea25bb4067a04c5e40417cd54c73d8686d6023597b2be0ee138960428c7ca1d791620d5464d3764

Download Submit
C:\Users\Admin\AppData\Local\Temp\tap-windows.exe
Filesize
561KB

MD5
df2dfcd6d8a69c2799a43baf80d34047

SHA1
f0fd7873544739a0cac4cf93e446efe629c00668

SHA256
35cfa71fe2952192c13cbbd8a2f3f62a6486af406008e654646ea1d823928d46

SHA512
e4d7aab39539c7020538a5d26554e52fb23a365d6b8276a10ea25bb4067a04c5e40417cd54c73d8686d6023597b2be0ee138960428c7ca1d791620d5464d3764

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54E65~1\tap0901.sys
Filesize
30KB

MD5
7da5638f82f0ef7a759c9a35cfae38e3

SHA1
841a86f416a882b0743fd6d9c9f29baf3ed06b6a

SHA256
fb4825ce4b0bf61fa4e30109ef5d718906716560cdc8274092fcb072c5bd762d

SHA512
53867e2c53e263d9df613d973f946d0cee703acc4e48e63c9178fddcc34c070060957e77fd729e876a9adb20cc8cee4b0dbdc6166bac573fc7e84bfb0ae8e9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54e65ac9-2c06-6fb6-8cc1-305d17fab471}\oemvista.inf
Filesize
7KB

MD5
50d29ca2e3ddb8a696923420ec2ac4fa

SHA1
d85f4e65fe10f13ded1780ddbd074edfc75f2d25

SHA256
817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b

SHA512
03778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54e65ac9-2c06-6fb6-8cc1-305d17fab471}\tap0901.cat
Filesize
9KB

MD5
685d08d5e2a2450648a40b518e2046fc

SHA1
d99e38968de1ca1850971a2b81bfdab49626aaed

SHA256
56a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2

SHA512
619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7

Download Submit
C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\oemvista.inf
Filesize
7KB

MD5
50d29ca2e3ddb8a696923420ec2ac4fa

SHA1
d85f4e65fe10f13ded1780ddbd074edfc75f2d25

SHA256
817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b

SHA512
03778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3

Download Submit
C:\Windows\System32\DriverStore\Temp\{6abf200b-afd7-459e-0c80-845600f12352}\tap0901.cat
Filesize
9KB

MD5
685d08d5e2a2450648a40b518e2046fc

SHA1
d99e38968de1ca1850971a2b81bfdab49626aaed

SHA256
56a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2

SHA512
619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7

Download Submit
\??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sys
Filesize
30KB

MD5
7da5638f82f0ef7a759c9a35cfae38e3

SHA1
841a86f416a882b0743fd6d9c9f29baf3ed06b6a

SHA256
fb4825ce4b0bf61fa4e30109ef5d718906716560cdc8274092fcb072c5bd762d

SHA512
53867e2c53e263d9df613d973f946d0cee703acc4e48e63c9178fddcc34c070060957e77fd729e876a9adb20cc8cee4b0dbdc6166bac573fc7e84bfb0ae8e9f4

Download Submit
\??\c:\program files\tap-windows\driver\tap0901.cat
Filesize
9KB

MD5
685d08d5e2a2450648a40b518e2046fc

SHA1
d99e38968de1ca1850971a2b81bfdab49626aaed

SHA256
56a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2

SHA512
619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7

Download Submit
\Program Files\OpenVPN\bin\openvpn.exe
Filesize
820KB

MD5
2a16506f43ad6ad1abc4ba6236cd52cc

SHA1
4d99bb40230596072ebcbc9164933b3b77c96f17

SHA256
e32da5bfc8077d2125724f316e53ad348688735d8f2c9f6c371fe59427aeb1a0

SHA512
704f2ec6d5f0dce0cafe4c2053b19ebd94cb369a09bf77ca91465646ec6f0b9814d4f3a44b299127449896113784476eafff551c5f70323c5b4443eab5d6bf2a

Download Submit
\Program Files\TAP-Windows\bin\tapinstall.exe
Filesize
486KB

MD5
f19cffff76ff48e98f060a563dd8345b

SHA1
c77f3fe9ffba02de288661fbb66656791196edbc

SHA256
16d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70

SHA512
0d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841

Download Submit
\Program Files\TAP-Windows\bin\tapinstall.exe
Filesize
486KB

MD5
f19cffff76ff48e98f060a563dd8345b

SHA1
c77f3fe9ffba02de288661fbb66656791196edbc

SHA256
16d1ff6409065d9c0bc50fc2ade61b3299a141cf2553749d8891bedbea43de70

SHA512
0d4a53fa4b0d4ff71af1fff5888005570404bf5309942f477b1d754073f6d200abade20daaffa3fb6da55f2b23588ca439273bd9268257b83b00f973b7b61841

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\bin\devcon64.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\Users\Admin\AppData\Local\Temp\OpenVPN\openvpn-install-2.4.8-I602-Win7.exe
Filesize
4.1MB

MD5
73bcd5b6a0208d953a38ed74fdef5ff1

SHA1
8c9f28d7bdbb4613777a9741809e34b91fd45a0f

SHA256
16165e4505874e71c9fe732041274c3ce10e0881dfeeece529e8b54c5b558296

SHA512
f599a4e25a9c48642c6bae94d13396222b93bcda0aa5efd2cd16557bb64fc967dcf54a6a8445824db1c420af0f8dcde31fb0bc3a96134720d0d08b52f0967ecc

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\System.dll
Filesize
23KB

MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\System.dll
Filesize
23KB

MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\UserInfo.dll
Filesize
6KB

MD5
9f0cb655a832fdecb9433dd781004637

SHA1
bea6b32a5d2d6d152a52847db1184fab956a9d3b

SHA256
a94fd67daf9137b26e2d98aa4cf46614439bd64263c5c211369a232c444862ea

SHA512
5fd32197a5d9bb7cc65e3917791023fbe2b80a34899d4363475a7fb05fb1051c0a17c72359f3c215d0fd41bbb2dfed0bb95c766131fc175c18ac91cf54b05551

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\nsExec.dll
Filesize
9KB

MD5
1139fb5cc942e668c8277f8b8f1e5f20

SHA1
94bbb2454dad420b70553c0fca4899f120d3ed43

SHA256
9cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb

SHA512
08e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0

Download Submit
\Users\Admin\AppData\Local\Temp\nso5CF2.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAFC2.tmp\ShellLink.dll
Filesize
4KB

MD5
aad75be0bdd1f1bac758b521c9f1d022

SHA1
5d444b8432c8834f5b5cd29225101856cebb8ecf

SHA256
d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7

SHA512
4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAFC2.tmp\ShellLink.dll
Filesize
4KB

MD5
aad75be0bdd1f1bac758b521c9f1d022

SHA1
5d444b8432c8834f5b5cd29225101856cebb8ecf

SHA256
d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7

SHA512
4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAFC2.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAFC2.tmp\UserInfo.dll
Filesize
4KB

MD5
7836f464ae0102452e94a363b491b759

SHA1
59909a48448b99e2eb9cd336d81d60764da59f31

SHA256
11adf8916947b5a20a071b494fa034cf62769dcc6293a1340b29a5bb29ac8e87

SHA512
5ed63eefa1b3b3caad4cb762ccb8419c05bcad3da3a7415235cda2d2a1f79eb018503ca30a0a92d6b72160327decea9a70c48e0c28de94dd67303d4aea4a02db

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAFC2.tmp\nsExec.dll
Filesize
6KB

MD5
50ba20cad29399e2db9fa75a1324bd1d

SHA1
3850634bb15a112623222972ef554c8d1eca16f4

SHA256
e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc

SHA512
893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAFC2.tmp\nsExec.dll
Filesize
6KB

MD5
50ba20cad29399e2db9fa75a1324bd1d

SHA1
3850634bb15a112623222972ef554c8d1eca16f4

SHA256
e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc

SHA512
893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754

Download Submit
\Users\Admin\AppData\Local\Temp\tap-windows.exe
Filesize
561KB

MD5
df2dfcd6d8a69c2799a43baf80d34047

SHA1
f0fd7873544739a0cac4cf93e446efe629c00668

SHA256
35cfa71fe2952192c13cbbd8a2f3f62a6486af406008e654646ea1d823928d46

SHA512
e4d7aab39539c7020538a5d26554e52fb23a365d6b8276a10ea25bb4067a04c5e40417cd54c73d8686d6023597b2be0ee138960428c7ca1d791620d5464d3764

Download Submit
memory/332-89-0x0000000000000000-mapping.dmp

Download
memory/524-85-0x0000000000000000-mapping.dmp

Download
memory/536-95-0x0000000000000000-mapping.dmp

Download
memory/868-93-0x0000000000000000-mapping.dmp

Download
memory/888-87-0x0000000000000000-mapping.dmp

Download
memory/896-69-0x0000000000000000-mapping.dmp

Download
memory/904-143-0x0000000000000000-mapping.dmp

Download
memory/944-67-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x0000000000000000-mapping.dmp

Download
memory/1104-73-0x0000000000000000-mapping.dmp

Download
memory/1284-63-0x0000000000000000-mapping.dmp

Download
memory/1432-57-0x0000000000000000-mapping.dmp

Download
memory/1504-101-0x0000000000000000-mapping.dmp

Download
memory/1512-105-0x0000000000000000-mapping.dmp

Download
memory/1512-112-0x0000000000940000-0x0000000000953000-memory.dmp

Filesize
76KB

Download
memory/1520-97-0x0000000000000000-mapping.dmp

Download
memory/1588-153-0x0000000000000000-mapping.dmp

Download
memory/1600-99-0x0000000000000000-mapping.dmp

Download
memory/1676-75-0x0000000000000000-mapping.dmp

Download
memory/1696-157-0x0000000000000000-mapping.dmp

Download
memory/1856-81-0x0000000000000000-mapping.dmp

Download
memory/1872-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1964-91-0x0000000000000000-mapping.dmp

Download
memory/2016-71-0x0000000000000000-mapping.dmp

Download
memory/2020-165-0x0000000000000000-mapping.dmp

Download
memory/2020-166-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/2044-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads