Analysis Overview
SHA256
2af485626e4b3fac3c880cf16b950f17562169c0c3b01e8bcead75453e74ce0d
Threat Level: Likely malicious
The file 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Manipulates Digital Signatures
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Uses Volume Shadow Copy service COM API
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:39
Reported
2024-06-02 01:41
Platform
win7-20240508-en
Max time kernel
130s
Max time network
146s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SET4C0E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET4C0E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D09.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D1B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D1B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D09.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\oemwin2k.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D0A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstor.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D0A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\INFCACHE.0 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\OpenVPN\cpau-run.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\openvpn-run.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tapadd.bat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\devcon64.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\openvpn-run.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\openvpn.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\cpau-run.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\devcon32.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tapadd.bat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\cpau.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\hidec.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\hidec.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\devcon32.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tapadd.au3 | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tap\x64\tap0901.sys | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\autoit3.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\libeay32.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\openssl.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\openvpn-gui.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x32 | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tap\x32\tap0901.sys | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x64\tap0901.cat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\openvpn-gui.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\openvpn.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\ssleay32.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\log | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\cpau.job | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tapdel.bat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tap\x32\tap0901.cat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tap\x64\tap0901.cat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\libeay32.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\liblzo2-2.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\liblzo2-2.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\libpkcs11-helper-1.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\openvpn.ico | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x64\tap0901.sys | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x64 | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tapdel.bat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x64\oemwin2k.inf | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\devcon64.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\ssleay32.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\config | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x32\tap0901.sys | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tap\x64\oemwin2k.inf | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\cpau.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\openvpn.ico | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap\x32\tap0901.cat | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\autoit3.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tapadd.cer | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\tap | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\cpau.job | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\libpkcs11-helper-1.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Program Files\OpenVPN\openssl.exe | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tapadd.au3 | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File created | C:\Program Files\OpenVPN\tapadd.cer | C:\Windows\SysWOW64\xcopy.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem2.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev2 | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\.ovpn" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"
C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"
C:\Windows\SysWOW64\find.exe
find.exe /I "successfully"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0fefe06a-ebbc-2c12-4116-6c521a955d70}\oemwin2k.inf" "9" "6d14a44ff" "00000000000004C8" "WinSta0\Default" "0000000000000574" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005D0" "00000000000005CC"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemwin2k.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.9:tap0901" "6d14a44ff" "000000000000038C" "00000000000005C0" "00000000000005D8"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
C:\Windows\SysWOW64\reg.exe
reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011" /V "Characteristics" /T REG_DWORD /D "0x89" /F
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /T /IM "autoit3.exe"
C:\Windows\SysWOW64\xcopy.exe
xcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 11
Network
| Country | Destination | Domain | Proto |
| N/A | 255.255.255.255:67 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.ico
| MD5 | 069888d95f71a29ec6f8fe4b4e124adb |
| SHA1 | 353821428d6dded375f64e2c75f6cfd44b4c3f49 |
| SHA256 | bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11 |
| SHA512 | 0875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97 |
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
| MD5 | abc6379205de2618851c4fcbf72112eb |
| SHA1 | 1ed7b1e965eab56f55efda975f9f7ade95337267 |
| SHA256 | 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f |
| SHA512 | 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1 |
memory/1608-71-0x0000000003310000-0x0000000003312000-memory.dmp
memory/2480-77-0x0000000000400000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.bat
| MD5 | 3b400e42685b3fa8df13b8cd97bedc3c |
| SHA1 | 8cc19661310675e1a823168dcf14343514d6532c |
| SHA256 | eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719 |
| SHA512 | 463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapdel.bat
| MD5 | 20be78849f16f8008914d8146b5a06f3 |
| SHA1 | 7025a9cf11277fcafb527a1b6bd72fa9e467d6e2 |
| SHA256 | fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2 |
| SHA512 | 0f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
| MD5 | 3904d0698962e09da946046020cbcb17 |
| SHA1 | edae098e7e8452ca6c125cf6362dda3f4d78f0ae |
| SHA256 | a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289 |
| SHA512 | c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs
| MD5 | 106bcfcc67890864960720c1ef24d49c |
| SHA1 | 80afac8bf05f1aae0033b286f4e10e8ff15ef6d7 |
| SHA256 | 857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b |
| SHA512 | ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.bat
| MD5 | 1d547f162cc179e515400745d47a9815 |
| SHA1 | aa57115d87770d696b0a5ac810be261c06d623db |
| SHA256 | 9de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab |
| SHA512 | 18ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.cer
| MD5 | 3d5ffd53be77c32cbb147f32423c0a86 |
| SHA1 | ec4f1d31686625ecc004993cd0e89a4136dd3344 |
| SHA256 | 669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c |
| SHA512 | bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7 |
\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
| MD5 | 78c22df03127318893ce5b1fede8401c |
| SHA1 | d640359b4c5d04f666b3c57c762570a6bbb61c2c |
| SHA256 | be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f |
| SHA512 | 8070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.au3
| MD5 | 1399f4d45f332e0b7443e91f601cc4e5 |
| SHA1 | 4fafcd4d415f977a018b3fb169d4982de5e62aaf |
| SHA256 | 9dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b |
| SHA512 | fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf
| MD5 | b6aada0cbed06889053a05b66f146979 |
| SHA1 | 823025f02b355b37df7d7657b0f2b4d3584891a5 |
| SHA256 | a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707 |
| SHA512 | 9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad |
\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.cat
| MD5 | 0365c95d5be2b3d314dcc019380c0e11 |
| SHA1 | c269cee763f580e890d2eae42a8e98116e04a232 |
| SHA256 | 6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503 |
| SHA512 | 9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c |
C:\Users\Admin\AppData\Local\Temp\Cab2ADA.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2AFC.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.sys
| MD5 | 3c32ff010f869bc184df71290477384e |
| SHA1 | 9dec39ca0d13cd4aadf4120de29665c426be9f2b |
| SHA256 | 55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b |
| SHA512 | 2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff |
C:\Windows\Temp\Cab2D98.tmp
| MD5 | d59a6b36c5a94916241a3ead50222b6f |
| SHA1 | e274e9486d318c383bc4b9812844ba56f0cff3c6 |
| SHA256 | a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53 |
| SHA512 | 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489 |
C:\Windows\Temp\Tar2DE9.tmp
| MD5 | b13f51572f55a2d31ed9f266d581e9ea |
| SHA1 | 7eef3111b878e159e520f34410ad87adecf0ca92 |
| SHA256 | 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15 |
| SHA512 | f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c |
C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF
| MD5 | 6855a9c34a2bd45ce302e8635a7913a5 |
| SHA1 | 3b1a911a944eb1970a9fd8501a45bfbfca825f57 |
| SHA256 | 91e27001efcbc2ef7ac66bf564d296a42640899b75b821037ff607b13beefbcf |
| SHA512 | 847183d9029374a7be71682a8bc7d9c748349c82b316bc013e29a88493dd6100b64614afbeb0a0e53e3eeedbb3ed56c0099642e352162bd3f7e74432c90db63e |
C:\Windows\System32\DriverStore\INFCACHE.1
| MD5 | e27e5ee5c5c2c8d742bdd8d187a101f2 |
| SHA1 | 17e7ef7c6aff9a1858bc8db391b3841f0bb498ea |
| SHA256 | 4c6f56bf5f87f209aeb6f0a38ab994b6948e6529b9d9e09601804791eaca3416 |
| SHA512 | 4ad3d84230ab62c37fca393970e24dd40ec4887915a61ef7b10aff9b41153f21e971890bb08d2a73a969cf0b239ff13d3e6e2c16aec99cee0e1d8cb92368af15 |
C:\Windows\inf\oem2.PNF
| MD5 | e8b3eee05aeb838e7b93c27837d116db |
| SHA1 | 5ea7e83df7332f9fc9ba5fa63a0bbc034082a9f9 |
| SHA256 | 0117cb5a10a89d6f70b8cdb0058fd177cf5f4bc0d2d95c08113d9d97fd24d77b |
| SHA512 | c24172409b03bd27f458c4e6c93f65fe8460048fe2829e51f664e35393a2ab7123bd24ba9e30a1d9d0b61a6fab9c21c91ec64ce24849f4f92c492568db2b6675 |
memory/2644-363-0x00000000003D0000-0x00000000003F6000-memory.dmp
C:\Program Files\OpenVPN\tap\x32\tap0901.sys
| MD5 | 432d9d823c4c26b6070c41bad4404ce4 |
| SHA1 | 5e562e4b8a04dc61614423d0440f2057a0e55059 |
| SHA256 | 741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5 |
| SHA512 | b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084 |
C:\Program Files\OpenVPN\tap\x32\tap0901.cat
| MD5 | fb34d08569af3a01758d4bf629a3aa0d |
| SHA1 | d84aa4acf33724ea68d0f60ffbce0afebc583d95 |
| SHA256 | aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9 |
| SHA512 | df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2 |
C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf
| MD5 | 35589b966c65a52a1c95791bbcd80543 |
| SHA1 | d65994dd38de0e1971f8c99a048c46acc284e8bf |
| SHA256 | 8892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6 |
| SHA512 | ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f |
C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn
| MD5 | bbec26e2402902591d21c4dad4206f30 |
| SHA1 | 06d41d840116f75beeb56002b90182eb88cded86 |
| SHA256 | e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee |
| SHA512 | d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859 |
C:\Program Files\OpenVPN\ssleay32.dll
| MD5 | d5bbd87e924eb25c9dccf3cf719ec3f0 |
| SHA1 | 53318e7eef3422af92669df2530542d830fe1985 |
| SHA256 | 7bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6 |
| SHA512 | 2793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb |
C:\Program Files\OpenVPN\openvpn.exe
| MD5 | abd63e52fd0eb910a8d3eccb247ab25d |
| SHA1 | 8ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910 |
| SHA256 | 83bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4 |
| SHA512 | 6df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627 |
C:\Program Files\OpenVPN\openvpn-run.exe
| MD5 | a04d972fa20f1b04802448756f9f3a49 |
| SHA1 | a99c091155100c71b631386604bc045d86e843c5 |
| SHA256 | 97cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d |
| SHA512 | 413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16 |
C:\Program Files\OpenVPN\openvpn-gui.exe
| MD5 | a6476027f3d13292599be72b672d0eba |
| SHA1 | 00fefcd36c7743499aec9a8d2c5076e1f1605639 |
| SHA256 | 9412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b |
| SHA512 | 8033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb |
C:\Program Files\OpenVPN\openssl.exe
| MD5 | 482989dd49b3fd50dfc63d4555f7ac34 |
| SHA1 | 8bd69d6f676992c37de9554b1be633a30298047b |
| SHA256 | 2f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed |
| SHA512 | 8647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943 |
C:\Program Files\OpenVPN\libpkcs11-helper-1.dll
| MD5 | b953c29a14e9a1de3634894ae338132d |
| SHA1 | 17adfb1793bcf320a8eab328b83caf1fff905dae |
| SHA256 | 65848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394 |
| SHA512 | 0f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808 |
C:\Program Files\OpenVPN\liblzo2-2.dll
| MD5 | 33120addb41cebf8bef95c71cf2166c8 |
| SHA1 | 07ad36f3303fc95c0c914224ce0ac66cbe191042 |
| SHA256 | 81d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df |
| SHA512 | cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f |
C:\Program Files\OpenVPN\libeay32.dll
| MD5 | 88a5e21b46019e6632820a7ab72c4897 |
| SHA1 | 3829dade8363cc3000fee0adc760614755c69bc4 |
| SHA256 | 6fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225 |
| SHA512 | b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9 |
C:\Program Files\OpenVPN\devcon32.exe
| MD5 | b40fe65431b18a52e6452279b88954af |
| SHA1 | c25de80f00014e129ff290bf84ddf25a23fdfc30 |
| SHA256 | 800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e |
| SHA512 | e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d |
C:\Program Files\OpenVPN\cpau.job
| MD5 | b47e8a3ea1bf24b7238471f3ef4c2012 |
| SHA1 | b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e |
| SHA256 | 978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46 |
| SHA512 | 4a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237 |
C:\Program Files\OpenVPN\cpau.exe
| MD5 | 7100f979b8516b8c1ae6ff858435626e |
| SHA1 | c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7 |
| SHA256 | 5ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3 |
| SHA512 | d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593 |
C:\Program Files\OpenVPN\cpau-run.exe
| MD5 | 7e54c20a0658b2691e95935231e2539e |
| SHA1 | 51a5b9a034104563100de5190220cfc8b73afadc |
| SHA256 | 16c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d |
| SHA512 | 98e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\OPENVP~1.CS
| MD5 | d488d8de97683b833c32bbe531a3f8c1 |
| SHA1 | 4d5e1461bf19d1e46ee184235913d5e83f638f6f |
| SHA256 | cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b |
| SHA512 | d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\make.bat
| MD5 | 53aff72e284f8b212a7d88abb0dc8763 |
| SHA1 | 01eb94360f2190f963010b93147999a2e5c28e4e |
| SHA256 | 4355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35 |
| SHA512 | 940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\cpau-run.cs
| MD5 | 204f9556853cf1f01dd6ef9b6e93c89e |
| SHA1 | 1f90491b6acf00025df95edcf485dacb0657c541 |
| SHA256 | f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae |
| SHA512 | 01e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:39
Reported
2024-06-02 01:41
Platform
win10v2004-20240426-en
Max time kernel
91s
Max time network
96s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\SET4BDE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET4BDE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.PNF | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A09.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\oemwin2k.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A09.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\.ovpn" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"
C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"
C:\Windows\SysWOW64\find.exe
find.exe /I "successfully"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f942a4e1-6238-f944-a88b-ce84c26b9810}\oemwin2k.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000138"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
C:\Windows\SysWOW64\reg.exe
reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0002" /V "Characteristics" /T REG_DWORD /D "0x89" /F
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /T /IM "autoit3.exe"
C:\Windows\SysWOW64\xcopy.exe
xcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 11
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.ico
| MD5 | 069888d95f71a29ec6f8fe4b4e124adb |
| SHA1 | 353821428d6dded375f64e2c75f6cfd44b4c3f49 |
| SHA256 | bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11 |
| SHA512 | 0875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
| MD5 | abc6379205de2618851c4fcbf72112eb |
| SHA1 | 1ed7b1e965eab56f55efda975f9f7ade95337267 |
| SHA256 | 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f |
| SHA512 | 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1 |
memory/1696-75-0x0000000000400000-0x0000000000402000-memory.dmp
memory/1696-76-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.bat
| MD5 | 3b400e42685b3fa8df13b8cd97bedc3c |
| SHA1 | 8cc19661310675e1a823168dcf14343514d6532c |
| SHA256 | eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719 |
| SHA512 | 463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapdel.bat
| MD5 | 20be78849f16f8008914d8146b5a06f3 |
| SHA1 | 7025a9cf11277fcafb527a1b6bd72fa9e467d6e2 |
| SHA256 | fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2 |
| SHA512 | 0f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
| MD5 | 3904d0698962e09da946046020cbcb17 |
| SHA1 | edae098e7e8452ca6c125cf6362dda3f4d78f0ae |
| SHA256 | a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289 |
| SHA512 | c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs
| MD5 | 106bcfcc67890864960720c1ef24d49c |
| SHA1 | 80afac8bf05f1aae0033b286f4e10e8ff15ef6d7 |
| SHA256 | 857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b |
| SHA512 | ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.bat
| MD5 | 1d547f162cc179e515400745d47a9815 |
| SHA1 | aa57115d87770d696b0a5ac810be261c06d623db |
| SHA256 | 9de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab |
| SHA512 | 18ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.cer
| MD5 | 3d5ffd53be77c32cbb147f32423c0a86 |
| SHA1 | ec4f1d31686625ecc004993cd0e89a4136dd3344 |
| SHA256 | 669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c |
| SHA512 | bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
| MD5 | 78c22df03127318893ce5b1fede8401c |
| SHA1 | d640359b4c5d04f666b3c57c762570a6bbb61c2c |
| SHA256 | be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f |
| SHA512 | 8070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.au3
| MD5 | 1399f4d45f332e0b7443e91f601cc4e5 |
| SHA1 | 4fafcd4d415f977a018b3fb169d4982de5e62aaf |
| SHA256 | 9dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b |
| SHA512 | fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf
| MD5 | b6aada0cbed06889053a05b66f146979 |
| SHA1 | 823025f02b355b37df7d7657b0f2b4d3584891a5 |
| SHA256 | a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707 |
| SHA512 | 9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad |
\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.cat
| MD5 | 0365c95d5be2b3d314dcc019380c0e11 |
| SHA1 | c269cee763f580e890d2eae42a8e98116e04a232 |
| SHA256 | 6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503 |
| SHA512 | 9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c |
\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.sys
| MD5 | 3c32ff010f869bc184df71290477384e |
| SHA1 | 9dec39ca0d13cd4aadf4120de29665c426be9f2b |
| SHA256 | 55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b |
| SHA512 | 2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\config\LNKRIV~1.OVP
| MD5 | bbec26e2402902591d21c4dad4206f30 |
| SHA1 | 06d41d840116f75beeb56002b90182eb88cded86 |
| SHA256 | e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee |
| SHA512 | d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau-run.exe
| MD5 | 7e54c20a0658b2691e95935231e2539e |
| SHA1 | 51a5b9a034104563100de5190220cfc8b73afadc |
| SHA256 | 16c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d |
| SHA512 | 98e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.exe
| MD5 | abd63e52fd0eb910a8d3eccb247ab25d |
| SHA1 | 8ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910 |
| SHA256 | 83bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4 |
| SHA512 | 6df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\tap0901.sys
| MD5 | 432d9d823c4c26b6070c41bad4404ce4 |
| SHA1 | 5e562e4b8a04dc61614423d0440f2057a0e55059 |
| SHA256 | 741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5 |
| SHA512 | b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\tap0901.cat
| MD5 | fb34d08569af3a01758d4bf629a3aa0d |
| SHA1 | d84aa4acf33724ea68d0f60ffbce0afebc583d95 |
| SHA256 | aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9 |
| SHA512 | df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\oemwin2k.inf
| MD5 | 35589b966c65a52a1c95791bbcd80543 |
| SHA1 | d65994dd38de0e1971f8c99a048c46acc284e8bf |
| SHA256 | 8892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6 |
| SHA512 | ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\ssleay32.dll
| MD5 | d5bbd87e924eb25c9dccf3cf719ec3f0 |
| SHA1 | 53318e7eef3422af92669df2530542d830fe1985 |
| SHA256 | 7bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6 |
| SHA512 | 2793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\OPENVP~2.EXE
| MD5 | a04d972fa20f1b04802448756f9f3a49 |
| SHA1 | a99c091155100c71b631386604bc045d86e843c5 |
| SHA256 | 97cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d |
| SHA512 | 413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\OPENVP~1.EXE
| MD5 | a6476027f3d13292599be72b672d0eba |
| SHA1 | 00fefcd36c7743499aec9a8d2c5076e1f1605639 |
| SHA256 | 9412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b |
| SHA512 | 8033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openssl.exe
| MD5 | 482989dd49b3fd50dfc63d4555f7ac34 |
| SHA1 | 8bd69d6f676992c37de9554b1be633a30298047b |
| SHA256 | 2f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed |
| SHA512 | 8647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\LIBPKC~1.DLL
| MD5 | b953c29a14e9a1de3634894ae338132d |
| SHA1 | 17adfb1793bcf320a8eab328b83caf1fff905dae |
| SHA256 | 65848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394 |
| SHA512 | 0f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\LIBLZO~1.DLL
| MD5 | 33120addb41cebf8bef95c71cf2166c8 |
| SHA1 | 07ad36f3303fc95c0c914224ce0ac66cbe191042 |
| SHA256 | 81d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df |
| SHA512 | cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\libeay32.dll
| MD5 | 88a5e21b46019e6632820a7ab72c4897 |
| SHA1 | 3829dade8363cc3000fee0adc760614755c69bc4 |
| SHA256 | 6fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225 |
| SHA512 | b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon32.exe
| MD5 | b40fe65431b18a52e6452279b88954af |
| SHA1 | c25de80f00014e129ff290bf84ddf25a23fdfc30 |
| SHA256 | 800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e |
| SHA512 | e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau.job
| MD5 | b47e8a3ea1bf24b7238471f3ef4c2012 |
| SHA1 | b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e |
| SHA256 | 978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46 |
| SHA512 | 4a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau.exe
| MD5 | 7100f979b8516b8c1ae6ff858435626e |
| SHA1 | c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7 |
| SHA256 | 5ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3 |
| SHA512 | d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\OPENVP~1.CS
| MD5 | d488d8de97683b833c32bbe531a3f8c1 |
| SHA1 | 4d5e1461bf19d1e46ee184235913d5e83f638f6f |
| SHA256 | cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b |
| SHA512 | d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\make.bat
| MD5 | 53aff72e284f8b212a7d88abb0dc8763 |
| SHA1 | 01eb94360f2190f963010b93147999a2e5c28e4e |
| SHA256 | 4355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35 |
| SHA512 | 940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16 |
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\cpau-run.cs
| MD5 | 204f9556853cf1f01dd6ef9b6e93c89e |
| SHA1 | 1f90491b6acf00025df95edcf485dacb0657c541 |
| SHA256 | f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae |
| SHA512 | 01e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177 |