Analysis

  • max time kernel
    91s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:39

General

  • Target

    8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    8c7d5a492d7680b8062055cc3ddb9b45

  • SHA1

    0a8ab10ec6ccec645a7b40d4e5ca943475d2a5aa

  • SHA256

    2af485626e4b3fac3c880cf16b950f17562169c0c3b01e8bcead75453e74ce0d

  • SHA512

    8ea5a985fed7d884305558a8c2c2c0a93779e2efc803721f32d952df302bb208e101f83831f6df6611de3f6fbe860a305ee2c677a14b2e49726c4c6ade069a71

  • SSDEEP

    49152:gco0o0emPUHFwm72hQ9y14tkANvHwXS245zSHNiK+UqbeCIRb:gcT6cEFwmS14tk4Hwl4haQ/xbY

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 TTPs 5 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 16 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
      "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:748
        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
          "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:2448
        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
          "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:2492
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F
          4⤵
            PID:916
          • C:\Windows\SysWOW64\reg.exe
            reg.exe delete "HKLM\SOFTWARE\OpenVPN" /F
            4⤵
              PID:4868
            • C:\Windows\SysWOW64\reg.exe
              reg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F
              4⤵
                PID:816
              • C:\Windows\SysWOW64\reg.exe
                reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F
                4⤵
                  PID:3532
                • C:\Windows\SysWOW64\reg.exe
                  reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F
                  4⤵
                    PID:2508
                  • C:\Windows\SysWOW64\reg.exe
                    reg.exe delete "HKCR\.ovpn" /F
                    4⤵
                      PID:3020
                    • C:\Windows\SysWOW64\reg.exe
                      reg.exe delete "HKCR\OpenVPN" /F
                      4⤵
                        PID:1524
                      • C:\Windows\SysWOW64\reg.exe
                        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F
                        4⤵
                          PID:1004
                        • C:\Windows\SysWOW64\wscript.exe
                          wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"
                          4⤵
                            PID:1408
                          • C:\Windows\SysWOW64\wscript.exe
                            wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"
                            4⤵
                              PID:3936
                            • C:\Windows\SysWOW64\wscript.exe
                              wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"
                              4⤵
                                PID:1660
                              • C:\Windows\SysWOW64\certutil.exe
                                certutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"
                                4⤵
                                • Manipulates Digital Signatures
                                PID:2008
                              • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
                                "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"
                                4⤵
                                • Executes dropped EXE
                                PID:3424
                              • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
                                "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"
                                4⤵
                                • Manipulates Digital Signatures
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Drops file in Windows directory
                                • Checks SCSI registry key(s)
                                • Modifies system certificate store
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1440
                              • C:\Windows\SysWOW64\find.exe
                                find.exe /I "successfully"
                                4⤵
                                  PID:2728
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
                                  4⤵
                                    PID:1948
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
                                      5⤵
                                        PID:440
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0002" /V "Characteristics" /T REG_DWORD /D "0x89" /F
                                      4⤵
                                        PID:2196
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill.exe /F /T /IM "autoit3.exe"
                                        4⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4276
                                      • C:\Windows\SysWOW64\xcopy.exe
                                        xcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"
                                        4⤵
                                        • Enumerates system info in registry
                                        PID:512
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F
                                        4⤵
                                          PID:3504
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F
                                          4⤵
                                            PID:4216
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F
                                            4⤵
                                              PID:2652
                                            • C:\Windows\SysWOW64\reg.exe
                                              reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F
                                              4⤵
                                                PID:3856
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F
                                                4⤵
                                                  PID:2688
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
                                                  4⤵
                                                    PID:1360
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F
                                                    4⤵
                                                      PID:4532
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F
                                                      4⤵
                                                        PID:4100
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F
                                                        4⤵
                                                          PID:1304
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F
                                                          4⤵
                                                            PID:2548
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F
                                                            4⤵
                                                              PID:2272
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F
                                                              4⤵
                                                                PID:1164
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
                                                                4⤵
                                                                  PID:744
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F
                                                                  4⤵
                                                                    PID:2140
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F
                                                                    4⤵
                                                                      PID:216
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F
                                                                      4⤵
                                                                        PID:1088
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F
                                                                        4⤵
                                                                          PID:4424
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F
                                                                          4⤵
                                                                            PID:3324
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F
                                                                            4⤵
                                                                              PID:316
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F
                                                                              4⤵
                                                                                PID:1772
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F
                                                                                4⤵
                                                                                  PID:1616
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F
                                                                                  4⤵
                                                                                    PID:748
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F
                                                                                    4⤵
                                                                                      PID:4396
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F
                                                                                      4⤵
                                                                                        PID:1924
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F
                                                                                        4⤵
                                                                                          PID:3688
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F
                                                                                          4⤵
                                                                                            PID:916
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F
                                                                                            4⤵
                                                                                              PID:4868
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F
                                                                                              4⤵
                                                                                                PID:816
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F
                                                                                                4⤵
                                                                                                  PID:3532
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F
                                                                                                  4⤵
                                                                                                    PID:1876
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F
                                                                                                    4⤵
                                                                                                      PID:1732
                                                                                                    • C:\Windows\SysWOW64\wscript.exe
                                                                                                      wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"
                                                                                                      4⤵
                                                                                                        PID:4976
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"
                                                                                                        4⤵
                                                                                                          PID:3456
                                                                                                        • C:\Windows\SysWOW64\PING.EXE
                                                                                                          ping 127.0.0.1 -n 11
                                                                                                          4⤵
                                                                                                          • Runs ping.exe
                                                                                                          PID:1644
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                                                                                    1⤵
                                                                                                    • Drops file in Windows directory
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:2244
                                                                                                    • C:\Windows\system32\DrvInst.exe
                                                                                                      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f942a4e1-6238-f944-a88b-ce84c26b9810}\oemwin2k.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"
                                                                                                      2⤵
                                                                                                      • Drops file in System32 directory
                                                                                                      • Drops file in Windows directory
                                                                                                      • Checks SCSI registry key(s)
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:1264
                                                                                                    • C:\Windows\system32\DrvInst.exe
                                                                                                      DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000138"
                                                                                                      2⤵
                                                                                                      • Drops file in Drivers directory
                                                                                                      • Drops file in Windows directory
                                                                                                      • Checks SCSI registry key(s)
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:760

                                                                                                  Network

                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\LIBLZO~1.DLL

                                                                                                          Filesize

                                                                                                          170KB

                                                                                                          MD5

                                                                                                          33120addb41cebf8bef95c71cf2166c8

                                                                                                          SHA1

                                                                                                          07ad36f3303fc95c0c914224ce0ac66cbe191042

                                                                                                          SHA256

                                                                                                          81d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df

                                                                                                          SHA512

                                                                                                          cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\LIBPKC~1.DLL

                                                                                                          Filesize

                                                                                                          112KB

                                                                                                          MD5

                                                                                                          b953c29a14e9a1de3634894ae338132d

                                                                                                          SHA1

                                                                                                          17adfb1793bcf320a8eab328b83caf1fff905dae

                                                                                                          SHA256

                                                                                                          65848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394

                                                                                                          SHA512

                                                                                                          0f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\OPENVP~1.EXE

                                                                                                          Filesize

                                                                                                          400KB

                                                                                                          MD5

                                                                                                          a6476027f3d13292599be72b672d0eba

                                                                                                          SHA1

                                                                                                          00fefcd36c7743499aec9a8d2c5076e1f1605639

                                                                                                          SHA256

                                                                                                          9412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b

                                                                                                          SHA512

                                                                                                          8033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\OPENVP~2.EXE

                                                                                                          Filesize

                                                                                                          7KB

                                                                                                          MD5

                                                                                                          a04d972fa20f1b04802448756f9f3a49

                                                                                                          SHA1

                                                                                                          a99c091155100c71b631386604bc045d86e843c5

                                                                                                          SHA256

                                                                                                          97cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d

                                                                                                          SHA512

                                                                                                          413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe

                                                                                                          Filesize

                                                                                                          727KB

                                                                                                          MD5

                                                                                                          78c22df03127318893ce5b1fede8401c

                                                                                                          SHA1

                                                                                                          d640359b4c5d04f666b3c57c762570a6bbb61c2c

                                                                                                          SHA256

                                                                                                          be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f

                                                                                                          SHA512

                                                                                                          8070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\config\LNKRIV~1.OVP

                                                                                                          Filesize

                                                                                                          3KB

                                                                                                          MD5

                                                                                                          bbec26e2402902591d21c4dad4206f30

                                                                                                          SHA1

                                                                                                          06d41d840116f75beeb56002b90182eb88cded86

                                                                                                          SHA256

                                                                                                          e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee

                                                                                                          SHA512

                                                                                                          d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau-run.exe

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          MD5

                                                                                                          7e54c20a0658b2691e95935231e2539e

                                                                                                          SHA1

                                                                                                          51a5b9a034104563100de5190220cfc8b73afadc

                                                                                                          SHA256

                                                                                                          16c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d

                                                                                                          SHA512

                                                                                                          98e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau.exe

                                                                                                          Filesize

                                                                                                          542KB

                                                                                                          MD5

                                                                                                          7100f979b8516b8c1ae6ff858435626e

                                                                                                          SHA1

                                                                                                          c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7

                                                                                                          SHA256

                                                                                                          5ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3

                                                                                                          SHA512

                                                                                                          d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau.job

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          b47e8a3ea1bf24b7238471f3ef4c2012

                                                                                                          SHA1

                                                                                                          b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e

                                                                                                          SHA256

                                                                                                          978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46

                                                                                                          SHA512

                                                                                                          4a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon32.exe

                                                                                                          Filesize

                                                                                                          76KB

                                                                                                          MD5

                                                                                                          b40fe65431b18a52e6452279b88954af

                                                                                                          SHA1

                                                                                                          c25de80f00014e129ff290bf84ddf25a23fdfc30

                                                                                                          SHA256

                                                                                                          800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

                                                                                                          SHA512

                                                                                                          e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                          MD5

                                                                                                          3904d0698962e09da946046020cbcb17

                                                                                                          SHA1

                                                                                                          edae098e7e8452ca6c125cf6362dda3f4d78f0ae

                                                                                                          SHA256

                                                                                                          a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

                                                                                                          SHA512

                                                                                                          c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          abc6379205de2618851c4fcbf72112eb

                                                                                                          SHA1

                                                                                                          1ed7b1e965eab56f55efda975f9f7ade95337267

                                                                                                          SHA256

                                                                                                          22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

                                                                                                          SHA512

                                                                                                          180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\libeay32.dll

                                                                                                          Filesize

                                                                                                          2.2MB

                                                                                                          MD5

                                                                                                          88a5e21b46019e6632820a7ab72c4897

                                                                                                          SHA1

                                                                                                          3829dade8363cc3000fee0adc760614755c69bc4

                                                                                                          SHA256

                                                                                                          6fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225

                                                                                                          SHA512

                                                                                                          b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openssl.exe

                                                                                                          Filesize

                                                                                                          889KB

                                                                                                          MD5

                                                                                                          482989dd49b3fd50dfc63d4555f7ac34

                                                                                                          SHA1

                                                                                                          8bd69d6f676992c37de9554b1be633a30298047b

                                                                                                          SHA256

                                                                                                          2f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed

                                                                                                          SHA512

                                                                                                          8647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.exe

                                                                                                          Filesize

                                                                                                          661KB

                                                                                                          MD5

                                                                                                          abd63e52fd0eb910a8d3eccb247ab25d

                                                                                                          SHA1

                                                                                                          8ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910

                                                                                                          SHA256

                                                                                                          83bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4

                                                                                                          SHA512

                                                                                                          6df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.ico

                                                                                                          Filesize

                                                                                                          3KB

                                                                                                          MD5

                                                                                                          069888d95f71a29ec6f8fe4b4e124adb

                                                                                                          SHA1

                                                                                                          353821428d6dded375f64e2c75f6cfd44b4c3f49

                                                                                                          SHA256

                                                                                                          bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11

                                                                                                          SHA512

                                                                                                          0875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\ssleay32.dll

                                                                                                          Filesize

                                                                                                          575KB

                                                                                                          MD5

                                                                                                          d5bbd87e924eb25c9dccf3cf719ec3f0

                                                                                                          SHA1

                                                                                                          53318e7eef3422af92669df2530542d830fe1985

                                                                                                          SHA256

                                                                                                          7bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6

                                                                                                          SHA512

                                                                                                          2793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\oemwin2k.inf

                                                                                                          Filesize

                                                                                                          7KB

                                                                                                          MD5

                                                                                                          35589b966c65a52a1c95791bbcd80543

                                                                                                          SHA1

                                                                                                          d65994dd38de0e1971f8c99a048c46acc284e8bf

                                                                                                          SHA256

                                                                                                          8892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6

                                                                                                          SHA512

                                                                                                          ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\tap0901.cat

                                                                                                          Filesize

                                                                                                          10KB

                                                                                                          MD5

                                                                                                          fb34d08569af3a01758d4bf629a3aa0d

                                                                                                          SHA1

                                                                                                          d84aa4acf33724ea68d0f60ffbce0afebc583d95

                                                                                                          SHA256

                                                                                                          aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9

                                                                                                          SHA512

                                                                                                          df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\tap0901.sys

                                                                                                          Filesize

                                                                                                          34KB

                                                                                                          MD5

                                                                                                          432d9d823c4c26b6070c41bad4404ce4

                                                                                                          SHA1

                                                                                                          5e562e4b8a04dc61614423d0440f2057a0e55059

                                                                                                          SHA256

                                                                                                          741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5

                                                                                                          SHA512

                                                                                                          b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf

                                                                                                          Filesize

                                                                                                          7KB

                                                                                                          MD5

                                                                                                          b6aada0cbed06889053a05b66f146979

                                                                                                          SHA1

                                                                                                          823025f02b355b37df7d7657b0f2b4d3584891a5

                                                                                                          SHA256

                                                                                                          a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

                                                                                                          SHA512

                                                                                                          9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.au3

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          1399f4d45f332e0b7443e91f601cc4e5

                                                                                                          SHA1

                                                                                                          4fafcd4d415f977a018b3fb169d4982de5e62aaf

                                                                                                          SHA256

                                                                                                          9dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b

                                                                                                          SHA512

                                                                                                          fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.bat

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          1d547f162cc179e515400745d47a9815

                                                                                                          SHA1

                                                                                                          aa57115d87770d696b0a5ac810be261c06d623db

                                                                                                          SHA256

                                                                                                          9de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab

                                                                                                          SHA512

                                                                                                          18ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.cer

                                                                                                          Filesize

                                                                                                          1KB

                                                                                                          MD5

                                                                                                          3d5ffd53be77c32cbb147f32423c0a86

                                                                                                          SHA1

                                                                                                          ec4f1d31686625ecc004993cd0e89a4136dd3344

                                                                                                          SHA256

                                                                                                          669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c

                                                                                                          SHA512

                                                                                                          bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapdel.bat

                                                                                                          Filesize

                                                                                                          493B

                                                                                                          MD5

                                                                                                          20be78849f16f8008914d8146b5a06f3

                                                                                                          SHA1

                                                                                                          7025a9cf11277fcafb527a1b6bd72fa9e467d6e2

                                                                                                          SHA256

                                                                                                          fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2

                                                                                                          SHA512

                                                                                                          0f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\OPENVP~1.CS

                                                                                                          Filesize

                                                                                                          802B

                                                                                                          MD5

                                                                                                          d488d8de97683b833c32bbe531a3f8c1

                                                                                                          SHA1

                                                                                                          4d5e1461bf19d1e46ee184235913d5e83f638f6f

                                                                                                          SHA256

                                                                                                          cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b

                                                                                                          SHA512

                                                                                                          d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\cpau-run.cs

                                                                                                          Filesize

                                                                                                          952B

                                                                                                          MD5

                                                                                                          204f9556853cf1f01dd6ef9b6e93c89e

                                                                                                          SHA1

                                                                                                          1f90491b6acf00025df95edcf485dacb0657c541

                                                                                                          SHA256

                                                                                                          f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae

                                                                                                          SHA512

                                                                                                          01e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\make.bat

                                                                                                          Filesize

                                                                                                          469B

                                                                                                          MD5

                                                                                                          53aff72e284f8b212a7d88abb0dc8763

                                                                                                          SHA1

                                                                                                          01eb94360f2190f963010b93147999a2e5c28e4e

                                                                                                          SHA256

                                                                                                          4355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35

                                                                                                          SHA512

                                                                                                          940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.bat

                                                                                                          Filesize

                                                                                                          7KB

                                                                                                          MD5

                                                                                                          3b400e42685b3fa8df13b8cd97bedc3c

                                                                                                          SHA1

                                                                                                          8cc19661310675e1a823168dcf14343514d6532c

                                                                                                          SHA256

                                                                                                          eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719

                                                                                                          SHA512

                                                                                                          463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          MD5

                                                                                                          106bcfcc67890864960720c1ef24d49c

                                                                                                          SHA1

                                                                                                          80afac8bf05f1aae0033b286f4e10e8ff15ef6d7

                                                                                                          SHA256

                                                                                                          857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b

                                                                                                          SHA512

                                                                                                          ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa

                                                                                                        • \??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.cat

                                                                                                          Filesize

                                                                                                          10KB

                                                                                                          MD5

                                                                                                          0365c95d5be2b3d314dcc019380c0e11

                                                                                                          SHA1

                                                                                                          c269cee763f580e890d2eae42a8e98116e04a232

                                                                                                          SHA256

                                                                                                          6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

                                                                                                          SHA512

                                                                                                          9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

                                                                                                        • \??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.sys

                                                                                                          Filesize

                                                                                                          39KB

                                                                                                          MD5

                                                                                                          3c32ff010f869bc184df71290477384e

                                                                                                          SHA1

                                                                                                          9dec39ca0d13cd4aadf4120de29665c426be9f2b

                                                                                                          SHA256

                                                                                                          55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

                                                                                                          SHA512

                                                                                                          2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

                                                                                                        • memory/1696-76-0x0000000000401000-0x0000000000402000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1696-75-0x0000000000400000-0x0000000000402000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB