Overview

overview

10

Static

static

Downloads.exe

windows7-x64

10

Downloads.exe

windows10-1703-x64

10

Downloads.exe

windows10-2004-x64

10

Resubmissions

25-10-2022 19:39

221025-ydf41adfa8 5

24-10-2022 20:28

221024-y84hsaade9 10

Analysis

  • max time kernel
    1096s
  • max time network
    1754s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2022 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloads.exe

  • Size

    20.4MB

  • MD5

    1f8d2846109b9b9fdadb28ba1492dbff

  • SHA1

    6a89d407a8cbe41392fe8771c9b4ab01e479bd2d

  • SHA256

    39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148

  • SHA512

    33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452

  • SSDEEP

    393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU

Score
10/10
asyncratazorultblackmoondcratfickerstealergh0strathawkeyenanocoreoskiponypurplefoxraccoonredlinesmokeloader5781468cedb3a203003fdf1f12e72fe98d6f1c0f@zhilsholidefaultbackdoorbankercollectiondiscoveryevasioninfostealerkeyloggerpersistenceransomwareratrootkitspywarestealertrojanupx

Malware Config

Extracted

Path

C:\Program Files\OpenVPN\doc\openvpn.8.html

Ransom Note
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" /> <title>openvpn</title> <style type="text/css"> /* :Author: David Goodger (goodger@python.org) :Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $ :Copyright: This stylesheet has been placed in the public domain. Default cascading style sheet for the HTML output of Docutils. See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to customize this style sheet. */ /* used to remove borders from tables and images */ .borderless, table.borderless td, table.borderless th { border: 0 } table.borderless td, table.borderless th { /* Override padding for "table.docutils td" with "! important". The right padding separates the table cells. */ padding: 0 0.5em 0 0 ! important } .first { /* Override more specific margin styles with "! important". */ margin-top: 0 ! important } .last, .with-subtitle { margin-bottom: 0 ! important } .hidden { display: none } .subscript { vertical-align: sub; font-size: smaller } .superscript { vertical-align: super; font-size: smaller } a.toc-backref { text-decoration: none ; color: black } blockquote.epigraph { margin: 2em 5em ; } dl.docutils dd { margin-bottom: 0.5em } object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] { overflow: hidden; } /* Uncomment (and remove this text!) to get bold-faced definition list terms dl.docutils dt { font-weight: bold } */ div.abstract { margin: 2em 5em } div.abstract p.topic-title { font-weight: bold ; text-align: center } div.admonition, div.attention, div.caution, div.danger, div.error, div.hint, div.important, div.note, div.tip, div.warning { margin: 2em ; border: medium outset ; padding: 1em } div.admonition p.admonition-title, div.hint p.admonition-title, div.important p.admonition-title, div.note p.admonition-title, div.tip p.admonition-title { font-weight: bold ; font-family: sans-serif } div.attention p.admonition-title, div.caution p.admonition-title, div.danger p.admonition-title, div.error p.admonition-title, div.warning p.admonition-title, .code .error { color: red ; font-weight: bold ; font-family: sans-serif } /* Uncomment (and remove this text!) to get reduced vertical space in compound paragraphs. div.compound .compound-first, div.compound .compound-middle { margin-bottom: 0.5em } div.compound .compound-last, div.compound .compound-middle { margin-top: 0.5em } */ div.dedication { margin: 2em 5em ; text-align: center ; font-style: italic } div.dedication p.topic-title { font-weight: bold ; font-style: normal } div.figure { margin-left: 2em ; margin-right: 2em } div.footer, div.header { clear: both; font-size: smaller } div.line-block { display: block ; margin-top: 1em ; margin-bottom: 1em } div.line-block div.line-block { margin-top: 0 ; margin-bottom: 0 ; margin-left: 1.5em } div.sidebar { margin: 0 0 0.5em 1em ; border: medium outset ; padding: 1em ; background-color: #ffffee ; width: 40% ; float: right ; clear: right } div.sidebar p.rubric { font-family: sans-serif ; font-size: medium } div.system-messages { margin: 5em } div.system-messages h1 { color: red } div.system-message { border: medium outset ; padding: 1em } div.system-message p.system-message-title { color: red ; font-weight: bold } div.topic { margin: 2em } h1.section-subtitle, h2.section-subtitle, h3.section-subtitle, h4.section-subtitle, h5.section-subtitle, h6.section-subtitle { margin-top: 0.4em } h1.title { text-align: center } h2.subtitle { text-align: center } hr.docutils { width: 75% } img.align-left, .figure.align-left, object.align-left, table.align-left { clear: left ; float: left ; margin-right: 1em } img.align-right, .figure.align-right, object.align-right, table.align-right { clear: right ; float: right ; margin-left: 1em } img.align-center, .figure.align-center, object.align-center { display: block; margin-left: auto; margin-right: auto; } table.align-center { margin-left: auto; margin-right: auto; } .align-left { text-align: left } .align-center { clear: both ; text-align: center } .align-right { text-align: right } /* reset inner alignment in figures */ div.align-right { text-align: inherit } /* div.align-center * { */ /* text-align: left } */ .align-top { vertical-align: top } .align-middle { vertical-align: middle } .align-bottom { vertical-align: bottom } ol.simple, ul.simple { margin-bottom: 1em } ol.arabic { list-style: decimal } ol.loweralpha { list-style: lower-alpha } ol.upperalpha { list-style: upper-alpha } ol.lowerroman { list-style: lower-roman } ol.upperroman { list-style: upper-roman } p.attribution { text-align: right ; margin-left: 50% } p.caption { font-style: italic } p.credits { font-style: italic ; font-size: smaller } p.label { white-space: nowrap } p.rubric { font-weight: bold ; font-size: larger ; color: maroon ; text-align: center } p.sidebar-title { font-family: sans-serif ; font-weight: bold ; font-size: larger } p.sidebar-subtitle { font-family: sans-serif ; font-weight: bold } p.topic-title { font-weight: bold } pre.address { margin-bottom: 0 ; margin-top: 0 ; font: inherit } pre.literal-block, pre.doctest-block, pre.math, pre.code { margin-left: 2em ; margin-right: 2em } pre.code .ln { color: grey; } /* line numbers */ pre.code, code { background-color: #eeeeee } pre.code .comment, code .comment { color: #5C6576 } pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold } pre.code .literal.string, code .literal.string { color: #0C5404 } pre.code .name.builtin, code .name.builtin { color: #352B84 } pre.code .deleted, code .deleted { background-color: #DEB0A1} pre.code .inserted, code .inserted { background-color: #A3D289} span.classifier { font-family: sans-serif ; font-style: oblique } span.classifier-delimiter { font-family: sans-serif ; font-weight: bold } span.interpreted { font-family: sans-serif } span.option { white-space: nowrap } span.pre { white-space: pre } span.problematic { color: red } span.section-subtitle { /* font-size relative to parent (h1..h6 element) */ font-size: 80% } table.citation { border-left: solid 1px gray; margin-left: 1px } table.docinfo { margin: 2em 4em } table.docutils { margin-top: 0.5em ; margin-bottom: 0.5em } table.footnote { border-left: solid 1px black; margin-left: 1px } table.docutils td, table.docutils th, table.docinfo td, table.docinfo th { padding-left: 0.5em ; padding-right: 0.5em ; vertical-align: top } table.docutils th.field-name, table.docinfo th.docinfo-name { font-weight: bold ; text-align: left ; white-space: nowrap ; padding-left: 0 } /* "booktabs" style (no vertical lines) */ table.docutils.booktabs { border: 0px; border-top: 2px solid; border-bottom: 2px solid; border-collapse: collapse; } table.docutils.booktabs * { border: 0px; } table.docutils.booktabs th { border-bottom: thin solid; text-align: left; } h1 tt.docutils, h2 tt.docutils, h3 tt.docutils, h4 tt.docutils, h5 tt.docutils, h6 tt.docutils { font-size: 100% } ul.auto-toc { list-style-type: none } </style> </head> <body> <div class="document" id="openvpn"> <h1 class="title">openvpn</h1> <h2 class="subtitle" id="secure-ip-tunnel-daemon">Secure IP tunnel daemon</h2> <table class="docinfo" frame="void" rules="none"> <col class="docinfo-name" /> <col class="docinfo-content" /> <tbody valign="top"> <tr class="manual-section field"><th class="docinfo-name">Manual section:</th><td class="field-body">8</td> </tr> <tr class="manual-group field"><th class="docinfo-name">Manual group:</th><td class="field-body">System Manager's Manual</td> </tr> </tbody> </table> <div class="section" id="synopsis"> <h1>SYNOPSIS</h1> <div class="line-block"> <div class="line"><tt class="docutils literal">openvpn</tt> [ options ... ]</div> <div class="line"><tt class="docutils literal">openvpn</tt> <tt class="docutils literal"><span class="pre">--help</span></tt></div> </div> </div> <div class="section" id="introduction"> <h1>INTRODUCTION</h1> <p>OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file.</p> <p>Also note that there's more documentation and examples on the OpenVPN web site: <a class="reference external" href="https://openvpn.net/">https://openvpn.net/</a></p> <p>And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running <strong>openvpn</strong> without any parameters.</p> </div> <div class="section" id="description"> <h1>DESCRIPTION</h1> <p>OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.</p> <p>OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.</p> <p>OpenVPN supports conventional encryption using a pre-shared secret key <strong>(Static Key mode)</strong> or public key security <strong>(SSL/TLS mode)</strong> using client &amp; server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.</p> <p>OpenVPN is designed to work with the <strong>TUN/TAP</strong> virtual networking interface that exists on most platforms.</p> <p>Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.</p> </div> <div class="section" id="options"> <h1>OPTIONS</h1> <p>OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash (&quot;--&quot;), this prefix can be removed when an option is placed in a configuration file.</p> <div class="section" id="generic-options"> <h2>Generic Options</h2> <p>This section covers generic options which are accessible regardless of which mode OpenVPN is configured as.</p> <table class="docutils option-list" frame="void" rules="none"> <col class="option" /> <col class="description" /> <tbody valign="top"> <tr><td class="option-group"> <kbd><span class="option">--help</span></kbd></td> <td>Show options.</td></tr> <tr><td class="option-group"> <kbd><span class="option">--auth-nocache</span></kbd></td> <td><p class="first">Don't cache <tt class="docutils literal"><span class="pre">--askpass</span></tt> or <tt class="docutils literal"><span class="pre">--auth-user-pass</span></tt> username/passwords in virtual memory.</p> <p>If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session.</p> <p>When using <tt class="docutils literal"><span class="pre">--auth-nocache</span></tt> in combination with a user/password file and <tt class="docutils literal"><span class="pre">--chroot</span></tt> or <tt class="docutils literal"><span class="pre">--daemon</span></tt>, make sure to use an absolute path.</p> <p class="last">This directive does not affect the <tt class="docutils literal"><span class="pre">--http-proxy</span></tt> username/password. It is always cached.</p> </td></tr> <tr><td class="option-group"> <kbd><span class="option">--cd <var>dir</var></span></kbd></td> <td><p class="first">Change directory to <tt class="docutils literal">dir</tt> prior to reading any files such as configuration files, key files, scripts, etc. <tt class="docutils literal">dir</tt> should be an absolute path, with a leading &quot;/&quot;, and without any references to the current directory such as <code>.</code> or <code>..</code>.</p> <p class="last">This option is useful when you are running OpenVPN in <tt class="docutils literal"><span class="pre">--daemon</span></tt> mode, and you want to consolidate all of your OpenVPN control files in one location.</p> </td></tr> <tr><td class="option-group"> <kbd><span class="option">--chroot <var>dir</var></span></kbd></td> <td><p class="first">Chroot to <tt class="docutils literal">dir</tt> after initialization. <tt class="docutils literal"><span class="pre">--chroot</span></tt> essentially redefines <tt class="docutils literal">dir</tt> as being the top level directory tree (/). OpenVPN will therefore be unable to access any files outside this tree. This can be desirable from a security standpoint.</p> <p>Since the chroot operation is delayed until after initialization, most OpenVPN options that reference files will operate in a pre-chroot context.</p> <p>In many cases, the <tt class="docutils literal">dir</tt> parameter can point to an empty directory, however complications can result when scripts or restarts are executed after the chroot operation.</p> <p class="last">Note: The SSL library will probably need /dev/urandom to be available inside the chroot directory <tt class="docutils literal">dir</tt>. This is because SSL libraries occasionally need to collect fresh random. Newer linux kernels and some BSDs implement a getrandom() or getentropy() syscall that removes the need for /dev/urandom to be available.</p> </td></tr> <tr><td class="option-group"> <kbd><span class="option">--config <var>file</var></span></kbd></td> <td><p class="first">Load additional config options from <tt class="docutils literal">file</tt> where each line corresponds to one command line option, but with the leading '--' removed.</p> <p>If <tt class="docutils literal"><span class="pre">--config</span> file</tt> is the only option to the openvpn command, the <tt class="docutils literal"><span class="pre">--config</span></tt> can be removed, and the command can be given as <tt class="docutils literal">openvpn file</tt></p> <p>Note that configuration files can be nested to a reasonable depth.</p> <p>Double quotation or single quotation characters (&quot;&quot;, '') can be used to enclose single parameters containing whitespace, and &quot;#&quot; or &quot;;&quot; characters in the first column can be used to denote comments.</p> <p>Note that OpenVPN 2.0 and higher performs backslash-based shell escaping for characters not in single quotations, so the following mappings should be observed:</p> <pre class="literal-block"> \\ Maps to a single backslash character (\). \&quot; Pass a literal doublequote character (&quot;), don't interpret it as enclosing a parameter. \[SPACE] Pass a literal space or tab character, don't interpret it as a parameter delimiter. </pre> <p>For example on Windows, use double backslashes to represent pathnames:</p> <pre class="literal-block"> secret &quot;c:\\OpenVPN\\secret.key&quot; </pre> <p>For examples of configuration files, see <a class="reference external" href="https://openvpn.net/community-resources/how-to/">https://openvpn.net/community-resources/how-to/</a></p> <p>Here is an example configuration file:</p> <pre class="last literal-block"> # # Sample OpenVPN configuration file for
Emails

goodger@python.org

URLs

http-equiv="Content-Type"

http://docutils.sourceforge.net/"

http://docutils.sf.net/docs/howto/html-stylesheets.html

http-proxy

http-proxy-option

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    fcb-aws-host-4

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

gfhhjgh.duckdns.org:8050

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    system32.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

fickerstealer

C2

80.87.192.115:80

Extracted

Family

oski

C2

prepepe.ac.ug

Extracted

Family

redline

Botnet

@zhilsholi

C2

yabynennet.xyz:81

Attributes
  • auth_value

    c2d0b7a2ede97b91495c99e75b4f27fb

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

5781468cedb3a203003fdf1f12e72fe98d6f1c0f

Attributes
  • url4cnc

    http://194.180.174.53/brikitiki

    http://91.219.236.18/brikitiki

    http://194.180.174.41/brikitiki

    http://91.219.236.148/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

pony

C2

http://londonpaerl.co.uk/yesup/gate.php

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Blackmoon payload 1 IoCs
  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Detects Smokeloader packer 1 IoCs
  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Process spawned unexpected child process 13 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Drops file in Drivers directory 7 IoCs
  • Executes dropped EXE 35 IoCs
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 19 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 47 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 55 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Downloads.exe
    "C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:1104
  • C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\OpenVPN-2.5.7-I602-amd64 (1).msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2012
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 05B67D18F5DC745F86479FBA27536E1C C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Program Files\OpenVPN\bin\openvpn-gui.exe
        "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Program Files\OpenVPN\bin\openvpn.exe
          openvpn --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:268
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 8E9812B685C46ACE038115CAD0A4C00E
      2⤵
      • Loads dropped DLL
      PID:1652
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 22B734F1894817DF29C1DBFAA1C2E831 M Global\MSI0000
      2⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\system32\netsh.exe
        netsh interface set interface name="Local Area Connection 2" newname="OpenVPN Wintun"
        3⤵
        • Modifies data under HKEY_USERS
        PID:1900
      • C:\Windows\system32\netsh.exe
        netsh interface set interface name="Local Area Connection 2" newname="OpenVPN TAP-Windows6"
        3⤵
          PID:516
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:1348
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000568" "000000000000032C"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:1596
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6b22850e-7c35-7017-357c-17709bdc2a6f}\wintun.inf" "9" "65109ab53" "000000000000032C" "WinSta0\Default" "0000000000000568" "208" "C:\Windows\Temp\de46534946d5613aa598c892a26a4182e94cd8b2dd3a6b923b7dde9c2b4b5c22"
        1⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2bec2ae7-e0b1-26f9-d6c8-9c2f82a6f34a} Global\{2f2d8b98-d59b-6a85-20e8-477fcc11540e} C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.inf C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.cat
          2⤵
          • Modifies data under HKEY_USERS
          PID:1540
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7104eb05-f44a-12d6-05eb-0471b794c41e}\OemVista.inf" "9" "68a913dff" "0000000000000568" "WinSta0\Default" "00000000000004A4" "208" "C:\Windows\Temp\1571a9adb2f64dcfff8b210f1870edb801825b3a54267cb0b9bd88abba8f1a60"
        1⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2bc51c5d-22f9-4e08-e2af-570ffb6a4c78} Global\{41fae03e-d645-7b76-dd27-bb6458cf5a18} C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\OemVista.inf C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.cat
          2⤵
          • Modifies data under HKEY_USERS
          PID:1608
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "wintun.inf:Wintun.NTamd64:Wintun.Install:0.8.0.0:wintun" "62b53aaff" "0000000000000330" "000000000000058C" "000000000000054C"
        1⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:1960
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:root\tap0901" "633338203" "00000000000002A8" "0000000000000330" "00000000000004C0"
        1⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:1896
      • C:\Program Files\OpenVPN\bin\openvpnserv.exe
        "C:\Program Files\OpenVPN\bin\openvpnserv.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1900
      • C:\Program Files\OpenVPN\bin\openvpn-gui.exe
        "C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --command import "C:\Users\Admin\Desktop\Russia-udp.ovpn"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1008
      • C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
        "C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1760
      • C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe
        "C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Users\Admin\AppData\Roaming\healastounding.exe
          "C:\Users\Admin\AppData\Roaming\healastounding.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Users\Admin\AppData\Roaming\test.exe
            "C:\Users\Admin\AppData\Roaming\test.exe"
            3⤵
            • Executes dropped EXE
            PID:1604
          • C:\Users\Admin\AppData\Roaming\gay.exe
            "C:\Users\Admin\AppData\Roaming\gay.exe"
            3⤵
            • Executes dropped EXE
            PID:1612
            • C:\Users\Admin\AppData\Roaming\mediaget.exe
              "C:\Users\Admin\AppData\Roaming\mediaget.exe"
              4⤵
              • Executes dropped EXE
              • Drops startup file
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              PID:936
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                5⤵
                • Modifies Windows Firewall
                PID:2500
          • C:\Users\Admin\AppData\Roaming\Opus.exe
            "C:\Users\Admin\AppData\Roaming\Opus.exe"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            PID:1568
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1872.tmp"
              4⤵
              • Creates scheduled task(s)
              PID:548
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2E91.tmp"
              4⤵
              • Creates scheduled task(s)
              PID:2112
          • C:\Users\Admin\AppData\Roaming\aaa.exe
            "C:\Users\Admin\AppData\Roaming\aaa.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            PID:1632
            • C:\Users\Admin\AppData\Roaming\aaa.exe
              "C:\Users\Admin\AppData\Roaming\aaa.exe"
              4⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              • Accesses Microsoft Outlook profiles
              • outlook_win_path
              PID:1796
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\8162955.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "
                5⤵
                  PID:2808
            • C:\Users\Admin\AppData\Roaming\4.exe
              "C:\Users\Admin\AppData\Roaming\4.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:552
              • C:\Users\Admin\AppData\Roaming\3.exe
                "C:\Users\Admin\AppData\Roaming\3.exe"
                4⤵
                • UAC bypass
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • System policy modification
                PID:432
                • C:\Users\Admin\AppData\Roaming\3.exe
                  "C:\Users\Admin\AppData\Roaming\3.exe"
                  5⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Checks whether UAC is enabled
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • System policy modification
                  PID:2112
                  • C:\Users\Admin\AppData\Roaming\test\Opus.exe
                    "C:\Users\Admin\AppData\Roaming\test\Opus.exe"
                    6⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • System policy modification
                    PID:3016
            • C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
              "C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:1464
              • C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
                "C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:1052
                • C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
                  "C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:1716
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 848
                    6⤵
                    • Program crash
                    PID:2856
              • C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
                "C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2016
                • C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
                  "C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:520
              • C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                "C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                4⤵
                • Executes dropped EXE
                PID:1892
            • C:\Users\Admin\AppData\Roaming\a.exe
              "C:\Users\Admin\AppData\Roaming\a.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:1236
          • C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
            "C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
            2⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            PID:556
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
              3⤵
              • Accesses Microsoft Outlook accounts
              PID:2592
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
              3⤵
                PID:1916
            • C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
              "C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1184
              • C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                "C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                3⤵
                • Executes dropped EXE
                PID:1712
            • C:\Users\Admin\AppData\Roaming\22.exe
              "C:\Users\Admin\AppData\Roaming\22.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:960
              • C:\Windows\SysWOW64\netsh.exe
                netsh ipsec static add policy name=Block
                3⤵
                  PID:1760
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filterlist name=Filter1
                  3⤵
                    PID:2488
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    3⤵
                      PID:2640
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                      3⤵
                        PID:2784
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                        3⤵
                          PID:2844
                      • C:\Users\Admin\AppData\Roaming\___11.19.exe
                        "C:\Users\Admin\AppData\Roaming\___11.19.exe"
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in Program Files directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:2020
                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                          3⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:1940
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
                            4⤵
                              PID:2008
                              • C:\Windows\SysWOW64\PING.EXE
                                ping -n 2 127.0.0.1
                                5⤵
                                • Runs ping.exe
                                PID:1100
                          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                            3⤵
                            • Executes dropped EXE
                            • Sets DLL path for service in the registry
                            • Drops file in System32 directory
                            PID:828
                          • C:\Users\Admin\AppData\Roaming\HD____11.19.exe
                            C:\Users\Admin\AppData\Roaming\HD____11.19.exe
                            3⤵
                            • Executes dropped EXE
                            PID:2140
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 324
                              4⤵
                              • Program crash
                              PID:3000
                      • C:\Windows\SysWOW64\TXPlatforn.exe
                        C:\Windows\SysWOW64\TXPlatforn.exe -auto
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1576
                        • C:\Windows\SysWOW64\TXPlatforn.exe
                          C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                          2⤵
                          • Drops file in Drivers directory
                          • Executes dropped EXE
                          • Sets service image path in registry
                          • Suspicious behavior: LoadsDriver
                          PID:1748
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
                        1⤵
                        • Drops file in System32 directory
                        PID:1744
                        • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
                          C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\8134594.txt",MainThread
                          2⤵
                          • Executes dropped EXE
                          PID:2300
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
                        1⤵
                          PID:1960
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\wshirda\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2768
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "aaa" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Opus\aaa.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2892
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2968
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "openvpn-gui" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\openvpn-gui.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1960
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DisableDismount\a.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:968
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "openvpnserv" /sc ONLOGON /tr "'C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\openvpnserv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2132
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "0fd7de5367376231a788872005d7ed4f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pid\0fd7de5367376231a788872005d7ed4f.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2228
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "Opus" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\test\Opus.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2552
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "openvpn-gui" /sc ONLOGON /tr "'C:\Program Files\OpenVPN\bin\openvpnserv\openvpn-gui.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2688
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\jnwmon\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2184
                        • C:\Windows\system32\conhost.exe
                          \??\C:\Windows\system32\conhost.exe "160340192818797396851470131155-7780651571704574106-19396846661932494448-430395747"
                          1⤵
                            PID:2784
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Windows\SysWOW64\extrac32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2888
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\KBDSP\sppsvc.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2424
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "3" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\3.exe'" /rl HIGHEST /f
                            1⤵
                            • Process spawned unexpected child process
                            • Creates scheduled task(s)
                            PID:2952

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Scripting

                          1
                          T1064

                          Scheduled Task

                          1
                          T1053

                          Persistence

                          Registry Run Keys / Startup Folder

                          4
                          T1060

                          Modify Existing Service

                          1
                          T1031

                          Scheduled Task

                          1
                          T1053

                          Privilege Escalation

                          Bypass User Account Control

                          1
                          T1088

                          Scheduled Task

                          1
                          T1053

                          Defense Evasion

                          Bypass User Account Control

                          1
                          T1088

                          Disabling Security Tools

                          1
                          T1089

                          Modify Registry

                          7
                          T1112

                          Virtualization/Sandbox Evasion

                          1
                          T1497

                          Scripting

                          1
                          T1064

                          Credential Access

                          Credentials in Files

                          2
                          T1081

                          Discovery

                          Query Registry

                          5
                          T1012

                          Virtualization/Sandbox Evasion

                          1
                          T1497

                          System Information Discovery

                          5
                          T1082

                          Peripheral Device Discovery

                          2
                          T1120

                          Remote System Discovery

                          1
                          T1018

                          Lateral Movement

                          Collection

                          Data from Local System

                          2
                          T1005

                          Email Collection

                          2
                          T1114

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\OpenVPN\bin\VCRUNTIME140.dll
                            Filesize

                            94KB

                            MD5

                            5797d2a762227f35cdd581ec648693a8

                            SHA1

                            e587b804db5e95833cbd2229af54c755ee0393b9

                            SHA256

                            c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7

                            SHA512

                            5c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e

                            Download Submit
                          • C:\Program Files\OpenVPN\bin\openvpnserv.exe
                            Filesize

                            63KB

                            MD5

                            93397fefb9c81d442c7fd21a49fa0905

                            SHA1

                            61d82acb60fc1d6229c23867fe9987297bc5eb26

                            SHA256

                            1125f49d5c67ba6553be30519e32fa29f23fdf9c0f68c7198b0074dfdc01996f

                            SHA512

                            a1d95a40fdc5d26b21fe210cb3e7ae5537bb7877fd9fc6b7d13413078ec73eba75ff92077c446bd230696e87fd7447060fd24f05c99f34f3ce65fe6c5cc43c75

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
                            Filesize

                            471B

                            MD5

                            ac8f4e239adac1f3be16390b3aeb03e7

                            SHA1

                            c99bc579ecee71e61405a8c8a11f44e562c6edf5

                            SHA256

                            7c2b69381484f8d56c2eb0e467452108714ea6a734666114f740b51ee6d00cfd

                            SHA512

                            d33831ffec5c3acd06e59e744807246de796123b0b75cf3105ae837f219720d488978540fe667b342d712c2aa6027ae63baa9cd30fcff13284ee18f213fb0d18

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_9E87DAFD2E5867FC65A4BDC474DCD371
                            Filesize

                            471B

                            MD5

                            1e7ee3d68387aa7c32f5d4b3f13f8d07

                            SHA1

                            34188c73861d1f7121ecf5af197014215dafeed7

                            SHA256

                            b24094179932e9d5e77e51c46117a65a5bba08bf0daec7d5efdcccbd66a86552

                            SHA512

                            724ae3e0d44f324a2604791873f7fa6e1296e1e83516d4f943a1d43dcbc1f17851d01b11868ceea406d824451667d16989fdbf28f86f4a9b24e754d1a491c482

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                            Filesize

                            60KB

                            MD5

                            d15aaa7c9be910a9898260767e2490e1

                            SHA1

                            2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

                            SHA256

                            f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

                            SHA512

                            7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                            Filesize

                            1KB

                            MD5

                            78f2fcaa601f2fb4ebc937ba532e7549

                            SHA1

                            ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

                            SHA256

                            552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

                            SHA512

                            bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
                            Filesize

                            434B

                            MD5

                            78e0d9d11e2f5b7ab7aadc48bf24e8cf

                            SHA1

                            1e9ac8d2268c5878aa57283a7e30f33fe15a1acc

                            SHA256

                            0f2d9c8663155315a9ae515e3e583185c81026ec15b207e5b01ade30a149907b

                            SHA512

                            af0b5406d41980170f40de36094c6fe03abf7e12544e45395bf1e744640f4987ec2f5059462b7d0ccf0cdc737e3ed174911500431c48442aeb8f64304f226846

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_9E87DAFD2E5867FC65A4BDC474DCD371
                            Filesize

                            430B

                            MD5

                            a33fde2e7ca9e0d87fc49da280687a0b

                            SHA1

                            98b48723912f4169058fa8217680c1fea6879721

                            SHA256

                            7752fb7cfabe36ad1071d648fdd8ca751c05d53820a9460eb5a0ab12945a2cd7

                            SHA512

                            35376ed7a3e797446609b2e7d5ddcae6938f50b86c2970bfcd64c1160e88a9c8376e7b42aaf398bc937f1d277b31f21c2db29be6de31174fa0f6116df306b02b

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                            Filesize

                            342B

                            MD5

                            109001627f441b45389817c7d69881cb

                            SHA1

                            7f33d4ebf2e44bfa8ee0309850d66f213e4b40f5

                            SHA256

                            091a918f9e890173cbbfc8886a825f3a5cca08e59e2848b2c1dafae058a8eb5d

                            SHA512

                            9a0b3a204f2f58825292a9bf6f6276dc2267f69fd6af2e2cea2f7634a975ceb4b489fc746c26e5f9616b76db978be07a2013730d3dbf5dea24570cd115ff4f3e

                            Download Submit
                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                            Filesize

                            254B

                            MD5

                            314388392b77ad41b030b74b91c13472

                            SHA1

                            1fce99a58853a673e1576f11593003e5c15e2a8f

                            SHA256

                            5fc9ffa6b17bb6ff09d12d3fa61b21d3e3caeb5422731a6c01fc2a6d322e633f

                            SHA512

                            294898ba47cc0940c26367bdfa64a40507d0fac90bfa3cee7485d54a29dd04490af41a68203c59e07134968d4c522f0847ff2294918ba473f8f223a6a4072f9e

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\MSI7DDE.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\MSI83A9.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\{6B228~1\wintun.sys
                            Filesize

                            28KB

                            MD5

                            af026609b5026ff10cab8608cfd116a9

                            SHA1

                            b40b69c44ce8ed40f0bc8da74d7b643c3d8dec36

                            SHA256

                            f09bd250428169811b958593b5b142a4a2916f49f6d1946b7b0caacba2330b43

                            SHA512

                            3b3329a2349a4f542a96846a5f05a56ac88e355766a057d3162673ae6327ab8eb41a25f19556f9e8830539a643a544b7852333c5cb24ed774e6737a10fd27a2f

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\{6b22850e-7c35-7017-357c-17709bdc2a6f}\wintun.cat
                            Filesize

                            9KB

                            MD5

                            f3d7fa89f9bfb4d43d80f83b488ba9ce

                            SHA1

                            0f4479c0dcbb9a63babc8962948ab7e5d13afbaf

                            SHA256

                            3c429b0c37b7b1aaf56c6631ccf1f0416cfa1dd60aa4ee32d0d981ef5318234e

                            SHA512

                            beaf413f7ad49a08c09d976b5d4e8c45457b42ba858dccd9ca8a4c7ccfb2a95a11a382e5b22c8a25340a0e836f3408d332cae87e97e057bf4859ab42b1c0362c

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\{6b22850e-7c35-7017-357c-17709bdc2a6f}\wintun.inf
                            Filesize

                            1KB

                            MD5

                            8480579050970b0812cc3d9a1bce1340

                            SHA1

                            edebebd090602f4eee375ad754c8566d4fda23cb

                            SHA256

                            44098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b

                            SHA512

                            46de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\{7104E~1\tap0901.sys
                            Filesize

                            30KB

                            MD5

                            b1c405ed0434695d6fc893c0ae94770c

                            SHA1

                            79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

                            SHA256

                            4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

                            SHA512

                            635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\{7104eb05-f44a-12d6-05eb-0471b794c41e}\OemVista.inf
                            Filesize

                            7KB

                            MD5

                            26009f092ba352c1a64322268b47e0e3

                            SHA1

                            e1b2220cd8dcaef6f7411a527705bd90a5922099

                            SHA256

                            150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

                            SHA512

                            c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\{7104eb05-f44a-12d6-05eb-0471b794c41e}\tap0901.cat
                            Filesize

                            9KB

                            MD5

                            4fee2548578cd9f1719f84d2cb456dbf

                            SHA1

                            3070ed53d0e9c965bf1ffea82c259567a51f5d5f

                            SHA256

                            baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

                            SHA512

                            6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

                            Download Submit
                          • C:\Users\Admin\Desktop\OpenVPN-2.5.7-I602-amd64 (1).msi
                            Filesize

                            4.2MB

                            MD5

                            5eb35ebcf9e8c2f742ada2b58b539755

                            SHA1

                            b0dd289cb1945cab4667e79ff0f053905c3f5ab0

                            SHA256

                            5212a707c137cf8b133a21cab458a03d81592a4b713cfb7bc668a661e604313f

                            SHA512

                            475889b8a718ed736b0b08ac80714d38a5feb501242fcac5382e1ef6fb34e669571720d0491e9954cd741ba314ff8f312b6636d681579110c72d305f952b7159

                            Download Submit
                          • C:\Windows\INF\oem2.PNF
                            Filesize

                            7KB

                            MD5

                            be073de16088676381ee1d0e13d6ac4e

                            SHA1

                            3c1d230134033b9fe248d5d020b72f1d889dfa64

                            SHA256

                            e1a702ed3ff2dc9610bd8fb25addcfcb99455f71926037fc1ac65ad10e7ab9de

                            SHA512

                            4355e2145bc39d3acd9e55d86c9947330d3787c6bea53314b7b94e9b7b0af1197e26af0e4c222bb2c479bf2f9cfa23cc70d2295274cfd503796797d5f6a24c05

                            Download Submit
                          • C:\Windows\INF\oem2.inf
                            Filesize

                            1KB

                            MD5

                            8480579050970b0812cc3d9a1bce1340

                            SHA1

                            edebebd090602f4eee375ad754c8566d4fda23cb

                            SHA256

                            44098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b

                            SHA512

                            46de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933

                            Download Submit
                          • C:\Windows\INF\oem3.PNF
                            Filesize

                            8KB

                            MD5

                            062e9c11f9fb9c0e1ab96e07f40c69f2

                            SHA1

                            2c497a52b9e9e545835ed7f20bde159d2dd6aead

                            SHA256

                            b60238bd3ab8392de0804cc13feb8c47dd861e8d889fc5b38023288a05abf93e

                            SHA512

                            f469b57307747bc829bd770e0f95e6ac82d0b131169a8e255a687f3e07b90a63b63b71678b5f85e4f83d18872d4af186a97fdd2395358e19a25c53e6c301691a

                            Download Submit
                          • C:\Windows\INF\oem3.inf
                            Filesize

                            7KB

                            MD5

                            26009f092ba352c1a64322268b47e0e3

                            SHA1

                            e1b2220cd8dcaef6f7411a527705bd90a5922099

                            SHA256

                            150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

                            SHA512

                            c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

                            Download Submit
                          • C:\Windows\Installer\MSI154D.tmp
                            Filesize

                            275KB

                            MD5

                            2232c07e354364e0eb1dc80024593826

                            SHA1

                            65bb4232c0416cfb2c158bfc32a7732ad72cee72

                            SHA256

                            fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f

                            SHA512

                            f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572

                            Download Submit
                          • C:\Windows\Installer\MSI15AB.tmp
                            Filesize

                            262KB

                            MD5

                            525a2895051f5cf8e068abe360ea2b1b

                            SHA1

                            925bd576b2b93b1a3a6ebf22e0a00c3510a0a589

                            SHA256

                            ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422

                            SHA512

                            72cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41

                            Download Submit
                          • C:\Windows\Installer\MSI1781.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Windows\Installer\MSI1C81.tmp
                            Filesize

                            275KB

                            MD5

                            2232c07e354364e0eb1dc80024593826

                            SHA1

                            65bb4232c0416cfb2c158bfc32a7732ad72cee72

                            SHA256

                            fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f

                            SHA512

                            f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572

                            Download Submit
                          • C:\Windows\Installer\MSI37A1.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Windows\Installer\MSI7425.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Windows\Installer\MSI7465.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Windows\Installer\MSI74F3.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Windows\Installer\MSI81BA.tmp
                            Filesize

                            262KB

                            MD5

                            525a2895051f5cf8e068abe360ea2b1b

                            SHA1

                            925bd576b2b93b1a3a6ebf22e0a00c3510a0a589

                            SHA256

                            ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422

                            SHA512

                            72cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41

                            Download Submit
                          • C:\Windows\Installer\MSIFDF.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • C:\Windows\System32\DRIVER~1\FILERE~1\OEMVIS~1.INF\tap0901.sys
                            Filesize

                            30KB

                            MD5

                            b1c405ed0434695d6fc893c0ae94770c

                            SHA1

                            79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

                            SHA256

                            4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

                            SHA512

                            635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

                            Download Submit
                          • C:\Windows\System32\DRIVER~1\FILERE~1\WINTUN~1.INF\wintun.sys
                            Filesize

                            28KB

                            MD5

                            af026609b5026ff10cab8608cfd116a9

                            SHA1

                            b40b69c44ce8ed40f0bc8da74d7b643c3d8dec36

                            SHA256

                            f09bd250428169811b958593b5b142a4a2916f49f6d1946b7b0caacba2330b43

                            SHA512

                            3b3329a2349a4f542a96846a5f05a56ac88e355766a057d3162673ae6327ab8eb41a25f19556f9e8830539a643a544b7852333c5cb24ed774e6737a10fd27a2f

                            Download Submit
                          • C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF
                            Filesize

                            8KB

                            MD5

                            31c2314ce0fdab5742cc08c9ee83458a

                            SHA1

                            e313e040df2b04838e0d95f704cfb954ee889e10

                            SHA256

                            0cce5520e3787b68136626b688bf9a49bcf0e41253a6036b00ae8e905d2d87b4

                            SHA512

                            f428411409c1fcad57dce51160b4078034cebec181a6c10dc830536102cd38c96b49c141cf2101515cce8a34b09c5e6d4036c8ddac1e11439b84136ad6fece2d

                            Download Submit
                          • C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_neutral_def3401515466414\wintun.PNF
                            Filesize

                            7KB

                            MD5

                            1bd48dd18a2257f714e5f3b6640b7bab

                            SHA1

                            50392da0a812e43a2b9d81797e7a3cc7ad8efb7e

                            SHA256

                            ecdbc859186272dce6271b9d5470c4ede7673a8e99b57bd93c8c77fd842f1c31

                            SHA512

                            8437a0af212676fffd353bad7057c4a7b60dc100afe545560eead2808a460b53cbb3e54cff955f2fb8b06dec9a6070cfc032229ec8551b6be806368f7ffe12e6

                            Download Submit
                          • C:\Windows\System32\DriverStore\INFCACHE.1
                            Filesize

                            1.4MB

                            MD5

                            cbd8f8093104b7359fafaccb7222f959

                            SHA1

                            ae51db1d6f471216251438cf1612a0839baa8f68

                            SHA256

                            4469586652ce5b71493216a5fd2608dd387dfeaf55cd8e43124d1d4264b0b56d

                            SHA512

                            92d6ac9d947460f11b8d5a2f04eb75f472a085817fd21638a2fc4f6d14d19c53ed5401d10bd3b551e55025b1b0765eec32aafc8dba1aea21c724a76d55c81b37

                            Download Submit
                          • C:\Windows\System32\DriverStore\INFCACHE.1
                            Filesize

                            1.4MB

                            MD5

                            20748bcff75ee1fb82f09e5d996ccf09

                            SHA1

                            d9a96de21ea56a3715425f452d5cc64f920a442d

                            SHA256

                            7215d2d63526ab743dd61aea989509605cb388388990d9fe53b00a9f7efb3465

                            SHA512

                            7a5aeab8b1843149aee743a9cd5698c67536066174e21d6cf9671fdf15b9edbd6d580623835401ef8abb0f8125482c0e752029eebe23ab127093670f4850599d

                            Download Submit
                          • C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\OemVista.inf
                            Filesize

                            7KB

                            MD5

                            26009f092ba352c1a64322268b47e0e3

                            SHA1

                            e1b2220cd8dcaef6f7411a527705bd90a5922099

                            SHA256

                            150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

                            SHA512

                            c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

                            Download Submit
                          • C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.cat
                            Filesize

                            9KB

                            MD5

                            4fee2548578cd9f1719f84d2cb456dbf

                            SHA1

                            3070ed53d0e9c965bf1ffea82c259567a51f5d5f

                            SHA256

                            baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

                            SHA512

                            6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

                            Download Submit
                          • C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.cat
                            Filesize

                            9KB

                            MD5

                            f3d7fa89f9bfb4d43d80f83b488ba9ce

                            SHA1

                            0f4479c0dcbb9a63babc8962948ab7e5d13afbaf

                            SHA256

                            3c429b0c37b7b1aaf56c6631ccf1f0416cfa1dd60aa4ee32d0d981ef5318234e

                            SHA512

                            beaf413f7ad49a08c09d976b5d4e8c45457b42ba858dccd9ca8a4c7ccfb2a95a11a382e5b22c8a25340a0e836f3408d332cae87e97e057bf4859ab42b1c0362c

                            Download Submit
                          • C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.inf
                            Filesize

                            1KB

                            MD5

                            8480579050970b0812cc3d9a1bce1340

                            SHA1

                            edebebd090602f4eee375ad754c8566d4fda23cb

                            SHA256

                            44098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b

                            SHA512

                            46de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933

                            Download Submit
                          • \??\PIPE\srvsvc
                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            Download Submit
                          • \Program Files\OpenVPN\bin\openvpn-gui.exe
                            Filesize

                            801KB

                            MD5

                            41dcc29d7eaba7b84fd54323394712af

                            SHA1

                            ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b

                            SHA256

                            a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a

                            SHA512

                            5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee

                            Download Submit
                          • \Program Files\OpenVPN\bin\openvpn-gui.exe
                            Filesize

                            801KB

                            MD5

                            41dcc29d7eaba7b84fd54323394712af

                            SHA1

                            ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b

                            SHA256

                            a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a

                            SHA512

                            5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee

                            Download Submit
                          • \Program Files\OpenVPN\bin\openvpn-gui.exe
                            Filesize

                            801KB

                            MD5

                            41dcc29d7eaba7b84fd54323394712af

                            SHA1

                            ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b

                            SHA256

                            a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a

                            SHA512

                            5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee

                            Download Submit
                          • \Program Files\OpenVPN\bin\openvpn-gui.exe
                            Filesize

                            801KB

                            MD5

                            41dcc29d7eaba7b84fd54323394712af

                            SHA1

                            ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b

                            SHA256

                            a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a

                            SHA512

                            5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee

                            Download Submit
                          • \Program Files\OpenVPN\bin\openvpnserv.exe
                            Filesize

                            63KB

                            MD5

                            93397fefb9c81d442c7fd21a49fa0905

                            SHA1

                            61d82acb60fc1d6229c23867fe9987297bc5eb26

                            SHA256

                            1125f49d5c67ba6553be30519e32fa29f23fdf9c0f68c7198b0074dfdc01996f

                            SHA512

                            a1d95a40fdc5d26b21fe210cb3e7ae5537bb7877fd9fc6b7d13413078ec73eba75ff92077c446bd230696e87fd7447060fd24f05c99f34f3ce65fe6c5cc43c75

                            Download Submit
                          • \Program Files\OpenVPN\bin\tapctl.exe
                            Filesize

                            37KB

                            MD5

                            cab1b54a817fbcedcef2c09e3ac60b77

                            SHA1

                            c0f78271670af581037429fe688cfd277ebbfd43

                            SHA256

                            43b19f2d9726b32edfbdbe10a4b4e59b7ba7d27bc4a940467f77a44977e2e41a

                            SHA512

                            812555b6be6de6ccc6bce6b67b8daafb72cba4645d4730b7b11e165cac1099cda1fb653590ca6628839aaa3cc7a22f5a3b2edb0fe583c79b04a5a5f7c6dd2b73

                            Download Submit
                          • \Program Files\OpenVPN\bin\tapctl.exe
                            Filesize

                            37KB

                            MD5

                            cab1b54a817fbcedcef2c09e3ac60b77

                            SHA1

                            c0f78271670af581037429fe688cfd277ebbfd43

                            SHA256

                            43b19f2d9726b32edfbdbe10a4b4e59b7ba7d27bc4a940467f77a44977e2e41a

                            SHA512

                            812555b6be6de6ccc6bce6b67b8daafb72cba4645d4730b7b11e165cac1099cda1fb653590ca6628839aaa3cc7a22f5a3b2edb0fe583c79b04a5a5f7c6dd2b73

                            Download Submit
                          • \Program Files\OpenVPN\bin\vcruntime140.dll
                            Filesize

                            94KB

                            MD5

                            5797d2a762227f35cdd581ec648693a8

                            SHA1

                            e587b804db5e95833cbd2229af54c755ee0393b9

                            SHA256

                            c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7

                            SHA512

                            5c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\MSI7DDE.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\MSI83A9.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Windows\Installer\MSI154D.tmp
                            Filesize

                            275KB

                            MD5

                            2232c07e354364e0eb1dc80024593826

                            SHA1

                            65bb4232c0416cfb2c158bfc32a7732ad72cee72

                            SHA256

                            fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f

                            SHA512

                            f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572

                            Download Submit
                          • \Windows\Installer\MSI15AB.tmp
                            Filesize

                            262KB

                            MD5

                            525a2895051f5cf8e068abe360ea2b1b

                            SHA1

                            925bd576b2b93b1a3a6ebf22e0a00c3510a0a589

                            SHA256

                            ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422

                            SHA512

                            72cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41

                            Download Submit
                          • \Windows\Installer\MSI1781.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Windows\Installer\MSI1C81.tmp
                            Filesize

                            275KB

                            MD5

                            2232c07e354364e0eb1dc80024593826

                            SHA1

                            65bb4232c0416cfb2c158bfc32a7732ad72cee72

                            SHA256

                            fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f

                            SHA512

                            f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572

                            Download Submit
                          • \Windows\Installer\MSI37A1.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Windows\Installer\MSI7425.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Windows\Installer\MSI7465.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Windows\Installer\MSI74F3.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • \Windows\Installer\MSI81BA.tmp
                            Filesize

                            262KB

                            MD5

                            525a2895051f5cf8e068abe360ea2b1b

                            SHA1

                            925bd576b2b93b1a3a6ebf22e0a00c3510a0a589

                            SHA256

                            ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422

                            SHA512

                            72cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41

                            Download Submit
                          • \Windows\Installer\MSIFDF.tmp
                            Filesize

                            191KB

                            MD5

                            4ff18a779d0c9c850ae2efa3b9a61da1

                            SHA1

                            26bd371397e50e9885b43366c788388254f49248

                            SHA256

                            101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088

                            SHA512

                            d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550

                            Download Submit
                          • memory/268-152-0x0000000000000000-mapping.dmp
                            Download
                          • memory/432-240-0x00000000010B0000-0x0000000001144000-memory.dmp
                            Filesize

                            592KB

                            Download
                          • memory/432-195-0x0000000000000000-mapping.dmp
                            Download
                          • memory/432-270-0x0000000000360000-0x000000000036C000-memory.dmp
                            Filesize

                            48KB

                            Download
                          • memory/432-278-0x0000000000500000-0x000000000050C000-memory.dmp
                            Filesize

                            48KB

                            Download
                          • memory/432-261-0x0000000000350000-0x000000000035C000-memory.dmp
                            Filesize

                            48KB

                            Download
                          • memory/432-262-0x00000000004F0000-0x00000000004FA000-memory.dmp
                            Filesize

                            40KB

                            Download
                          • memory/516-137-0x0000000000000000-mapping.dmp
                            Download
                          • memory/548-230-0x0000000000000000-mapping.dmp
                            Download
                          • memory/552-179-0x0000000000000000-mapping.dmp
                            Download
                          • memory/556-319-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/556-347-0x0000000000B45000-0x0000000000B56000-memory.dmp
                            Filesize

                            68KB

                            Download
                          • memory/556-336-0x0000000000B45000-0x0000000000B56000-memory.dmp
                            Filesize

                            68KB

                            Download
                          • memory/556-163-0x0000000000000000-mapping.dmp
                            Download
                          • memory/556-220-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/828-234-0x0000000000000000-mapping.dmp
                            Download
                          • memory/936-332-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/936-258-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/936-248-0x0000000000000000-mapping.dmp
                            Download
                          • memory/960-175-0x0000000000400000-0x0000000000625000-memory.dmp
                            Filesize

                            2.1MB

                            Download
                          • memory/960-167-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1052-198-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1100-246-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1104-68-0x0000000071EE1000-0x0000000071EE3000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1184-168-0x0000000002828000-0x0000000002850000-memory.dmp
                            Filesize

                            160KB

                            Download
                          • memory/1184-214-0x0000000002828000-0x0000000002850000-memory.dmp
                            Filesize

                            160KB

                            Download
                          • memory/1184-166-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1184-215-0x0000000000220000-0x0000000000267000-memory.dmp
                            Filesize

                            284KB

                            Download
                          • memory/1236-226-0x0000000000400000-0x00000000007C2000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/1236-233-0x0000000000400000-0x00000000007C2000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/1236-227-0x0000000000360000-0x00000000003C0000-memory.dmp
                            Filesize

                            384KB

                            Download
                          • memory/1236-184-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1236-235-0x0000000000400000-0x00000000007C2000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/1320-160-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1320-197-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1368-94-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1464-178-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1464-229-0x00000000006E0000-0x00000000006E7000-memory.dmp
                            Filesize

                            28KB

                            Download
                          • memory/1520-218-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1520-162-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1540-103-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1568-173-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1568-223-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1568-320-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1576-221-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1604-169-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1604-180-0x0000000000160000-0x0000000000172000-memory.dmp
                            Filesize

                            72KB

                            Download
                          • memory/1608-114-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1612-253-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1612-222-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1612-171-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1632-315-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1632-176-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1632-225-0x0000000074760000-0x0000000074D0B000-memory.dmp
                            Filesize

                            5.7MB

                            Download
                          • memory/1652-86-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1684-72-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1712-322-0x0000000000400000-0x000000000044F000-memory.dmp
                            Filesize

                            316KB

                            Download
                          • memory/1712-231-0x0000000000400000-0x000000000044F000-memory.dmp
                            Filesize

                            316KB

                            Download
                          • memory/1712-208-0x0000000000400000-0x000000000044F000-memory.dmp
                            Filesize

                            316KB

                            Download
                          • memory/1712-205-0x0000000000401480-mapping.dmp
                            Download
                          • memory/1712-202-0x0000000000400000-0x000000000044F000-memory.dmp
                            Filesize

                            316KB

                            Download
                          • memory/1716-232-0x0000000000400000-0x0000000000434000-memory.dmp
                            Filesize

                            208KB

                            Download
                          • memory/1716-203-0x0000000000417A8B-mapping.dmp
                            Download
                          • memory/1716-349-0x0000000000400000-0x0000000000434000-memory.dmp
                            Filesize

                            208KB

                            Download
                          • memory/1748-245-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1748-324-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1748-239-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1748-219-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1748-242-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1760-154-0x0000000000768000-0x0000000000779000-memory.dmp
                            Filesize

                            68KB

                            Download
                          • memory/1760-157-0x0000000000220000-0x0000000000229000-memory.dmp
                            Filesize

                            36KB

                            Download
                          • memory/1760-249-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1760-156-0x0000000000768000-0x0000000000779000-memory.dmp
                            Filesize

                            68KB

                            Download
                          • memory/1760-158-0x0000000000400000-0x0000000000596000-memory.dmp
                            Filesize

                            1.6MB

                            Download
                          • memory/1760-159-0x0000000000400000-0x0000000000596000-memory.dmp
                            Filesize

                            1.6MB

                            Download
                          • memory/1796-312-0x000000000041AFE0-mapping.dmp
                            Download
                          • memory/1796-321-0x0000000000400000-0x000000000041D000-memory.dmp
                            Filesize

                            116KB

                            Download
                          • memory/1796-334-0x0000000000400000-0x000000000041D000-memory.dmp
                            Filesize

                            116KB

                            Download
                          • memory/1892-243-0x0000000000400000-0x0000000000491000-memory.dmp
                            Filesize

                            580KB

                            Download
                          • memory/1892-204-0x000000000043F176-mapping.dmp
                            Download
                          • memory/1892-323-0x0000000000400000-0x0000000000491000-memory.dmp
                            Filesize

                            580KB

                            Download
                          • memory/1900-131-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1916-348-0x0000000000400000-0x0000000000458000-memory.dmp
                            Filesize

                            352KB

                            Download
                          • memory/1916-341-0x0000000000442628-mapping.dmp
                            Download
                          • memory/1916-345-0x0000000000400000-0x0000000000458000-memory.dmp
                            Filesize

                            352KB

                            Download
                          • memory/1940-194-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1940-193-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1940-191-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1940-228-0x0000000010000000-0x00000000101B6000-memory.dmp
                            Filesize

                            1.7MB

                            Download
                          • memory/1940-186-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1948-150-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1960-130-0x0000000000F40000-0x0000000000F66000-memory.dmp
                            Filesize

                            152KB

                            Download
                          • memory/2008-224-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2012-69-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2016-196-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2020-257-0x0000000005050000-0x00000000065FA000-memory.dmp
                            Filesize

                            21.7MB

                            Download
                          • memory/2020-326-0x0000000005050000-0x00000000065FA000-memory.dmp
                            Filesize

                            21.7MB

                            Download
                          • memory/2020-182-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2020-259-0x0000000005050000-0x00000000065FA000-memory.dmp
                            Filesize

                            21.7MB

                            Download
                          • memory/2112-318-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2112-254-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2140-289-0x0000000005FC0000-0x0000000006382000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/2140-255-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2140-304-0x0000000006042000-0x000000000604C000-memory.dmp
                            Filesize

                            40KB

                            Download
                          • memory/2140-268-0x0000000005FC0000-0x0000000006382000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/2140-263-0x0000000005FC0000-0x0000000006382000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/2140-265-0x0000000005FC0000-0x0000000006382000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/2140-306-0x0000000006025000-0x0000000006035000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/2140-335-0x0000000000400000-0x00000000019AA000-memory.dmp
                            Filesize

                            21.7MB

                            Download
                          • memory/2140-305-0x000000000604C000-0x000000000619A000-memory.dmp
                            Filesize

                            1.3MB

                            Download
                          • memory/2140-260-0x0000000000400000-0x00000000019AA000-memory.dmp
                            Filesize

                            21.7MB

                            Download
                          • memory/2140-339-0x0000000005FC0000-0x0000000006382000-memory.dmp
                            Filesize

                            3.8MB

                            Download
                          • memory/2300-272-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2488-287-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2500-288-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2592-331-0x0000000000400000-0x000000000041B000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/2592-327-0x0000000000411654-mapping.dmp
                            Download
                          • memory/2640-292-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2784-294-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2808-333-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2844-296-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2856-346-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3000-303-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3016-338-0x0000000000090000-0x0000000000124000-memory.dmp
                            Filesize

                            592KB

                            Download
                          • memory/3016-337-0x0000000000000000-mapping.dmp
                            Download