Overview
overview
8Static
static
3bVPN_1_7_0_setup.exe
windows10-2004-x64
8$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3QtCore4.dll
windows10-2004-x64
3QtGui4.dll
windows10-2004-x64
3QtNetwork4.dll
windows10-2004-x64
3bvpn.exe
windows10-2004-x64
1debug_helper.exe
windows10-2004-x64
1iwasel_pro...er.exe
windows10-2004-x64
1libeay32.dll
windows10-2004-x64
1msvcp100.dll
windows10-2004-x64
3msvcr100.dll
windows10-2004-x64
3openvpn/libeay32.dll
windows10-2004-x64
1openvpn/li...-1.dll
windows10-2004-x64
3openvpn/libssl32.dll
windows10-2004-x64
1openvpn/lzo2.dll
windows10-2004-x64
1openvpn/msvcr90.dll
windows10-2004-x64
1openvpn/openvpn.exe
windows10-2004-x64
1openvpn/ssleay32.dll
windows10-2004-x64
1openvpn/ta...01.sys
windows10-2004-x64
1openvpn/ta...ll.exe
windows10-2004-x64
1openvpn/ta...01.sys
windows10-2004-x64
1openvpn/ta...ll.exe
windows10-2004-x64
1plugins/im...o4.dll
windows10-2004-x64
1qjson0.dll
windows10-2004-x64
3qssh2.dll
windows10-2004-x64
3quazip.dll
windows10-2004-x64
3ssleay32.dll
windows10-2004-x64
1Analysis
-
max time kernel
1808s -
max time network
1824s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 19:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bVPN_1_7_0_setup.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
29 signatures
1800 seconds
Behavioral task
behavioral2
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral8
Sample
QtCore4.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral9
Sample
QtGui4.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral10
Sample
QtNetwork4.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral11
Sample
bvpn.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
1800 seconds
Behavioral task
behavioral12
Sample
debug_helper.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral13
Sample
iwasel_pro_updater.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral14
Sample
libeay32.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral15
Sample
msvcp100.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral16
Sample
msvcr100.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral17
Sample
openvpn/libeay32.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral18
Sample
openvpn/libpkcs11-helper-1.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral19
Sample
openvpn/libssl32.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral20
Sample
openvpn/lzo2.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral21
Sample
openvpn/msvcr90.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral22
Sample
openvpn/openvpn.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral23
Sample
openvpn/ssleay32.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral24
Sample
openvpn/tap/win32/tap0901.sys
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral25
Sample
openvpn/tap/win32/tapinstall.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral26
Sample
openvpn/tap/win64/tap0901.sys
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral27
Sample
openvpn/tap/win64/tapinstall.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral28
Sample
plugins/imageformats/qico4.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
Behavioral task
behavioral29
Sample
qjson0.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral30
Sample
qssh2.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral31
Sample
quazip.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
1800 seconds
Behavioral task
behavioral32
Sample
ssleay32.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
1800 seconds
General
-
Target
bVPN_1_7_0_setup.exe
-
Size
7.3MB
-
MD5
2fa4cdaa23793a7db146ff2cc2f8b733
-
SHA1
0f5db4c08a276c60dd689dd4b5837ecc66da1f10
-
SHA256
5bb2af4f0e70623e1ce277a4cd0c0c27e51890541e34f0e9a1e5b81ce4a12324
-
SHA512
dcda14c2464af765037e2803df5ee91ed9131ed262f28f49c051ebb9aef602ac95a3c6c3a8a6fd022c652dc5da7a7ba5edff96fed23c43cac1334878f3125be8
-
SSDEEP
196608:WbiyFb1OkjwyTuN+d+aoxtqL8PlZT9/Yr254XQhd:4Fb179a8dpPLuZTRG2EId
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
Processes:
DrvInst.exeDrvInst.exeDrvInst.exedescription ioc Process File opened for modification C:\Windows\System32\drivers\SETA4FC.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETA4FC.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SETE24.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETE24.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\tapbvpn.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SETBCCB.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETBCCB.tmp DrvInst.exe -
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
DrvInst.exeDrvInst.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3A1651770B34CEADBB29AD360B1A7169E1888FAC\Blob = 0300000001000000140000003a1651770b34ceadbb29ad360b1a7169e1888fac0400000001000000100000009a2a7ca2e706588d202a0eded5be7410190000000100000010000000eb2145fc1b41bfd5922cde69371e97bc140000000100000014000000f55608d0975436cf9db312ff84bbb4db6464f02e0f0000000100000014000000290917ef1dd60e52195230f5789dab59515431a22000000001000000820500003082057e30820466a003020102021066e27624878f3880f269376a3f576792300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3131303430393030303030305a170d3132303431333233353935395a3081c1310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a141a4f70656e56504e20546563686e6f6c6f676965732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312330210603550403141a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100e37fae3df3515f88429cd7dbf2094403ea20abee2fa47ef0fb179986b14bde20164c8f47c47fa933ad644026826eb3ecbd26eb2dacf130eac46cec9d56d85dc3a593a0b2bcb8dbd7b74c50718e012f48e3ab8b88cbe6245b9cf6435f45d827e7530b32b9381aba62c75735f06b049b4e4971aea0335ac9f65ac535ac50e38f29908c17a0ba6e8c351589c7311bed5cf775cfc95b60c0adc6821eb4fd922f7120a606e1f41b0ff64a9cbe6269f8418adc7bb26dbc7bfadd26d4e142222664f6f939b2ecde6efceb2c39a94c5e3e965f8304593b12e8c33c18d3f3acca96a0d3ef51c0c223d3fdd9e16116bc536843112cd4e17f4f7e410766465f5851fb9a37270203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100ebf6839ae982fef2cf9d82e6b44f23a277f2c3d540f3858f4ae44e4d04a25e2224223089fcaf86e8fb40f543e96c929d4c66b63124dd6d02a5bfd7c10a2018db6882b9f8e37085fd5343af92c1b4e1bd4b060ad157d19c5ae84d9eb9550c01e7cc7b9da51480cabb6b08820b54eb57667c38bee30c074b4dcec910b21b393b1b9a5cd9fc1e52d123cb63af3e0bfd07939190114c596fe7b59236a809c96167fec34539d6dc627740156100d5d0f626cd337c65939b62a51079a51163fa89690f96c9d92113d8fcc646838a4ff14a428c3b8af1f638b669f65ae165e1a842a44b293305599bcf12a24ab8c062a699c4935cb758a4771726149d16cff71f7c8ecc DrvInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\27551ACED27D12620FE1674D0EABF63513279FE4\Blob = 03000000010000001400000027551aced27d12620fe1674d0eabf63513279fe40400000001000000100000004483152d247c8ebbaebf629e2c4dab1a1400000001000000140000003babbbd6b3c04bc6fd74cae3d31ece218a7e64701900000001000000100000000659903aaec71b563e5dc59f522930af0f0000000100000020000000914aad2eabc7fcbb395ec2a3e186caa29e0b96fbe3b656e8b47f8e5c7596667420000000010000001505000030820511308203f9a00302010202100df30dee5a5f7e428e8718087e03e67c300d06092a864886f70d01010b05003076310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313530330603550403132c446967694365727420534841322048696768204173737572616e636520436f6465205369676e696e67204341301e170d3137313032393030303030305a170d3138313130323132303030305a3050310b3009060355040613024e4c311330110603550407130a5465746572696e67656e31153013060355040a130c69456c656d656e7420422e56311530130603550403130c69456c656d656e7420422e5630820122300d06092a864886f70d01010105000382010f003082010a0282010100c3525cffa72b56db703d05a16a347df9233f5de23b632fecbc69d121db9bc42c4972dc284db64aa0ea4c63401bf393a5b27af0f056465e5e2d8a5108ea888dd3f42707f83686e46d4efb68a20f5551bf6c08b99f76750612cfca316a3ba381c4cbc146e84c0d50a0493929a181507557862bf7a36172d624376225af51b53e5508240c8dbf258d1dc119b1c256a0fc50013216d0ef6c66891b4dc295dea39ab7ed81b848400261141cb81fdc2c93324340ea9a165fb2d9fa3188daed4b187b5e4c989f525342bc5f0b5a0f79d859ade90dd33c3815745a7cfa83a9ff8a7456b8fc02f406a91feaa5847a9ab232907dc1b351bba9d688f5b66cbd4d626a3ed86d0203010001a38201bf308201bb301f0603551d23041830168014679d0f20090ccc8a3ae582467262fcf1cc90e540301d0603551d0e041604143babbbd6b3c04bc6fd74cae3d31ece218a7e6470300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303306d0603551d1f046630643030a02ea02c862a687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d68612d63732d67312e63726c3030a02ea02c862a687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d68612d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818806082b06010505070101047c307a302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305206082b060105050730028646687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132486967684173737572616e6365436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382010100426cb27133741ddc0eae59217d865e63dcaebebbc87ce007e9209be22ef1000a5f3a6d146a1bfd569fb29f26be5e7efb8f65edc05efc3991aa2dd2c6494a650523b3e072e58fb9b0bf11c3516916c269cbb0381dd921d4111e9fbf7a123bb8b9c7a7ce3c20794f22ec84e6604aef6353f9b8f7c629f3d40efc933f44dfe0fb0c1171d697ccd350fe22c92fe5531152fe4cda99559d95668ab587bb9e07381091ef17a34b70010ef86c538f4bd1ce7112e434f0787cc8ca631eb9f541d38eaf70a7976904c99203b5dd156b3b077c3cef2a44014aceedc15b48cd9ef8f99c78bf3ca4dabd8057e83a73884b9c782dc944454aad48055b3a9b76137ef26c00d394 DrvInst.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TLauncher-2.919-Installer-1.3.3.exeTLauncher-2.919-Installer-1.3.3.exerundll32.exeTLauncher-2.919-Installer-1.3.3.exeirsetup.exeTransformice.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation irsetup.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation Transformice.exe -
Executes dropped EXE 36 IoCs
Processes:
tapinstall.exetapinstall.exebvpn.exebVPN_2_5_5_setup.exebVPN_2_5_5_setup.exeuninst.exeAu_.exetapinstall.exetapinstall.exebVPN_2_5_5_setup.exewaselvpnserv.exewaselvpnserv.exewaselvpnserv.exetaptool.exedevcon.exebvpn.exebvpn.exeopenvpn-wasel.exebvpn.exebvpn.exeopenvpn-wasel.exeTransformice.exeInstall Transformice.exeTLauncher-2.919-Installer-1.3.3.exeirsetup.exeTLauncher-2.919-Installer-1.3.3.exeirsetup.exe7z2404-x64.exe7zG.exe7zFM.exeTLauncher-2.919-Installer-1.3.3.exeirsetup.exeirsetup.exeirsetup.exeTLauncher.exeTLauncher.exepid Process 3168 tapinstall.exe 872 tapinstall.exe 4508 bvpn.exe 2464 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 4404 uninst.exe 920 Au_.exe 2768 tapinstall.exe 3236 tapinstall.exe 1132 bVPN_2_5_5_setup.exe 2576 waselvpnserv.exe 1548 waselvpnserv.exe 4376 waselvpnserv.exe 3276 taptool.exe 3412 devcon.exe 4508 bvpn.exe 4128 bvpn.exe 6100 openvpn-wasel.exe 5468 bvpn.exe 3996 bvpn.exe 2780 openvpn-wasel.exe 5876 Transformice.exe 4352 Install Transformice.exe 3364 TLauncher-2.919-Installer-1.3.3.exe 4880 irsetup.exe 5252 TLauncher-2.919-Installer-1.3.3.exe 3504 irsetup.exe 2076 7z2404-x64.exe 3504 7zG.exe 5780 7zFM.exe 6016 TLauncher-2.919-Installer-1.3.3.exe 1784 irsetup.exe 6876 irsetup.exe 6764 irsetup.exe 6748 TLauncher.exe 2896 TLauncher.exe -
Loads dropped DLL 64 IoCs
Processes:
bVPN_1_7_0_setup.exebvpn.exebVPN_2_5_5_setup.exebVPN_2_5_5_setup.exeAu_.exebVPN_2_5_5_setup.exewaselvpnserv.exewaselvpnserv.exewaselvpnserv.exetaptool.exepid Process 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 4508 bvpn.exe 2464 bVPN_2_5_5_setup.exe 2464 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 920 Au_.exe 920 Au_.exe 920 Au_.exe 920 Au_.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 2576 waselvpnserv.exe 1132 bVPN_2_5_5_setup.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 1548 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 4376 waselvpnserv.exe 1132 bVPN_2_5_5_setup.exe 3276 taptool.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
7z2404-x64.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2404-x64.exe -
Processes:
resource yara_rule behavioral1/files/0x000900000002373a-3769.dat upx behavioral1/memory/4880-3774-0x0000000000110000-0x00000000004F9000-memory.dmp upx behavioral1/memory/4880-4395-0x0000000000110000-0x00000000004F9000-memory.dmp upx behavioral1/memory/3504-4428-0x0000000000EF0000-0x00000000012D9000-memory.dmp upx behavioral1/memory/3504-5021-0x0000000000EF0000-0x00000000012D9000-memory.dmp upx behavioral1/memory/1784-6302-0x0000000000FB0000-0x0000000001399000-memory.dmp upx behavioral1/memory/1784-6903-0x0000000000FB0000-0x0000000001399000-memory.dmp upx behavioral1/files/0x0009000000023f82-7632.dat upx behavioral1/memory/6876-7637-0x0000000000110000-0x00000000004F8000-memory.dmp upx behavioral1/memory/6876-7729-0x0000000000110000-0x00000000004F8000-memory.dmp upx behavioral1/memory/6764-7741-0x0000000000CD0000-0x00000000010B8000-memory.dmp upx behavioral1/memory/6764-7901-0x0000000000CD0000-0x00000000010B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
bVPN_1_7_0_setup.exebvpn.exebVPN_2_5_5_setup.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bVPN = "\"C:\\Program Files (x86)\\bVPN Service\\bVPN\\bvpn.exe\"" bVPN_1_7_0_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bVPN = "\"C:\\Program Files (x86)\\bVPN Service\\bVPN\\bvpn.exe\"" bvpn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bVPN = "\"C:\\Program Files (x86)\\bVPN Service\\bVPN\\bvpn.exe\"" bVPN_2_5_5_setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 33 IoCs
Processes:
DrvInst.exeDrvInst.exedevcon.exetapinstall.exetapinstall.exedescription ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\oemwin2k.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\tapbvpn.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\tapbvpn.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\tap0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET134.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET155.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET9859.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\oemvista.PNF devcon.exe File created C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET985B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET134.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET144.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET155.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\tapbvpn.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\oemwin2k.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\oemwin2k.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\oemwin2k.PNF tapinstall.exe File created C:\Windows\System32\DriverStore\Temp\{0dcf80ce-df25-fe47-a1ac-acc2cd35f8fb}\SET9859.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_71542ace8727e983\tapbvpn.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\SET144.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{642b9fd0-d66b-8e4e-af53-7161231984c4}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_f8aa8626e797ceb6\tap0901.cat DrvInst.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7z2404-x64.exebVPN_2_5_5_setup.exebVPN_1_7_0_setup.exeAu_.exejavaw.exewaselvpnserv.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\imageformats\qgif.dll bVPN_2_5_5_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\libeay32.dll bVPN_2_5_5_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\openvpn\libpkcs11-helper-1.dll bVPN_1_7_0_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\msvcp120.dll bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\tapbvpn\i386\tapbvpn.cat bVPN_2_5_5_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\Qt5Gui.dll bVPN_2_5_5_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\openvpn-wasel.exe bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tap0901.cat bVPN_1_7_0_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\quazip.dll bVPN_1_7_0_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\tap0901\i386\tap0901.sys bVPN_2_5_5_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\qsmoke.dll bVPN_2_5_5_setup.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tapinstall.exe Au_.exe File created C:\Program Files (x86)\bVPN Service\bVPN\imageformats\qico.dll bVPN_2_5_5_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\uninst.exe bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\debug_helper.exe bVPN_1_7_0_setup.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\tap0901.cat Au_.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2404-x64.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\tapinstall.exe Au_.exe File created C:\Program Files (x86)\bVPN Service\bVPN\libpkcs11-helper-1.dll bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\uninst.exe bVPN_1_7_0_setup.exe File created C:\Program Files (x86)\bVPN Service\bVPN\tap0901_legacy\amd64\OemWin2k.inf bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2404-x64.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\bvpn.exe Au_.exe File created C:\Program Files (x86)\bVPN Service\bVPN\waselvpnserv.exe bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2404-x64.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File created C:\Program Files (x86)\bVPN Service\bVPN\openvpn.exe bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2404-x64.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win64\tap0901.sys Au_.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\srv.log waselvpnserv.exe File created C:\Program Files (x86)\bVPN Service\bVPN\tap0901_legacy\i386\tap0901.cat bVPN_2_5_5_setup.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2404-x64.exe File created C:\Program Files\7-Zip\7-zip.dll 7z2404-x64.exe File created C:\Program Files (x86)\bVPN Service\bVPN\openvpn\lzo2.dll bVPN_1_7_0_setup.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\ssleay32.dll Au_.exe File opened for modification C:\Program Files (x86)\bVPN Service\bVPN\openvpn\tap\win32\OemWin2k.inf Au_.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2404-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2404-x64.exe File created C:\Program Files\7-Zip\7-zip.dll.tmp 7z2404-x64.exe -
Drops file in Windows directory 16 IoCs
Processes:
DrvInst.exeDrvInst.exedevcon.exeDrvInst.exesvchost.exeDrvInst.exetapinstall.exesvchost.exetapinstall.exesvchost.exeDrvInst.exetapinstall.exedescription ioc Process File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exetapinstall.exesvchost.exetaskmgr.exesvchost.exetapinstall.exesvchost.exedevcon.exetapinstall.exetapinstall.exetaskmgr.exetapinstall.exetapinstall.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
msedge.exemsedge.exechrome.exechrome.exechrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeDrvInst.exechrome.exechrome.exechrome.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133575984292529165" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Modifies registry class 24 IoCs
Processes:
7z2404-x64.exebvpn.exechrome.exeSearchApp.exechrome.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WF_SERVICE_NPV_FF56A4C7 bvpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2404-x64.exe Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2288054676-1871194608-3559553667-1000\{5AB2B366-111D-482A-A17C-23F450CB8D1D} chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2404-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2404-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2404-x64.exe -
Processes:
tapinstall.exedevcon.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 devcon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
bvpn.exebvpn.exebvpn.exebvpn.exepid Process 4508 bvpn.exe 4128 bvpn.exe 5468 bvpn.exe 3996 bvpn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bVPN_1_7_0_setup.exebvpn.exechrome.exebVPN_2_5_5_setup.exebVPN_2_5_5_setup.exeAu_.exechrome.exebVPN_2_5_5_setup.exebvpn.exebvpn.exemsedge.exemsedge.exeopenvpn-wasel.exetaskmgr.exepid Process 452 bVPN_1_7_0_setup.exe 452 bVPN_1_7_0_setup.exe 4508 bvpn.exe 4508 bvpn.exe 2824 chrome.exe 2824 chrome.exe 2464 bVPN_2_5_5_setup.exe 2464 bVPN_2_5_5_setup.exe 2464 bVPN_2_5_5_setup.exe 2464 bVPN_2_5_5_setup.exe 2464 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 3640 bVPN_2_5_5_setup.exe 920 Au_.exe 920 Au_.exe 2572 chrome.exe 2572 chrome.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1132 bVPN_2_5_5_setup.exe 1808 bvpn.exe 1808 bvpn.exe 4128 bvpn.exe 4128 bvpn.exe 968 msedge.exe 968 msedge.exe 4968 msedge.exe 4968 msedge.exe 6100 openvpn-wasel.exe 6100 openvpn-wasel.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe 5680 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
bvpn.exebVPN_2_5_5_setup.exetaskmgr.exebvpn.exe7zFM.exemsdt.exepid Process 4128 bvpn.exe 1132 bVPN_2_5_5_setup.exe 5680 taskmgr.exe 3996 bvpn.exe 5780 7zFM.exe 3340 msdt.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid Process 4