Malware Analysis Report

2025-06-16 07:18

Sample ID 240602-b252psfb22
Target 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118
SHA256 2af485626e4b3fac3c880cf16b950f17562169c0c3b01e8bcead75453e74ce0d
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2af485626e4b3fac3c880cf16b950f17562169c0c3b01e8bcead75453e74ce0d

Threat Level: Likely malicious

The file 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary


Drops file in Drivers directory

Manipulates Digital Signatures

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies system certificate store

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:39

Reported

2024-06-02 01:41

Platform

win7-20240508-en

Max time kernel

130s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SET4C0E.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SET4C0E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys C:\Windows\system32\DrvInst.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 C:\Windows\SysWOW64\certutil.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D09.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\tap0901.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D1B.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D1B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D09.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\oemwin2k.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D0A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstor.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D0A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\INFCACHE.0 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\OpenVPN\cpau-run.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\openvpn-run.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tapadd.bat C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\devcon64.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\openvpn-run.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\openvpn.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\cpau-run.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\devcon32.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tapadd.bat C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\cpau.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\hidec.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\hidec.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\devcon32.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tapadd.au3 C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tap\x64\tap0901.sys C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\autoit3.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\libeay32.dll C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\openssl.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\openvpn-gui.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x32 C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tap\x32\tap0901.sys C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x64\tap0901.cat C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\openvpn-gui.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\openvpn.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\ssleay32.dll C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\log C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\cpau.job C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tapdel.bat C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tap\x32\tap0901.cat C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tap\x64\tap0901.cat C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\libeay32.dll C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\liblzo2-2.dll C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\liblzo2-2.dll C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\libpkcs11-helper-1.dll C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\openvpn.ico C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x64\tap0901.sys C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x64 C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tapdel.bat C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x64\oemwin2k.inf C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\devcon64.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\ssleay32.dll C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\config C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x32\tap0901.sys C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tap\x64\oemwin2k.inf C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\cpau.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\openvpn.ico C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap\x32\tap0901.cat C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\autoit3.exe C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tapadd.cer C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\tap C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\cpau.job C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\libpkcs11-helper-1.dll C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Program Files\OpenVPN\openssl.exe C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tapadd.au3 C:\Windows\SysWOW64\xcopy.exe N/A
File created C:\Program Files\OpenVPN\tapadd.cer C:\Windows\SysWOW64\xcopy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev2 C:\Windows\system32\DrvInst.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\.ovpn" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"

C:\Windows\SysWOW64\certutil.exe

certutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"

C:\Windows\SysWOW64\find.exe

find.exe /I "successfully"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0fefe06a-ebbc-2c12-4116-6c521a955d70}\oemwin2k.inf" "9" "6d14a44ff" "00000000000004C8" "WinSta0\Default" "0000000000000574" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005D0" "00000000000005CC"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemwin2k.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.9:tap0901" "6d14a44ff" "000000000000038C" "00000000000005C0" "00000000000005D8"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S

C:\Windows\SysWOW64\reg.exe

reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011" /V "Characteristics" /T REG_DWORD /D "0x89" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /F /T /IM "autoit3.exe"

C:\Windows\SysWOW64\xcopy.exe

xcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 11

Network

Country Destination Domain Proto
N/A 255.255.255.255:67 udp

Files

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.ico

MD5 069888d95f71a29ec6f8fe4b4e124adb
SHA1 353821428d6dded375f64e2c75f6cfd44b4c3f49
SHA256 bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11
SHA512 0875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97

\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe

MD5 abc6379205de2618851c4fcbf72112eb
SHA1 1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

memory/1608-71-0x0000000003310000-0x0000000003312000-memory.dmp

memory/2480-77-0x0000000000400000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.bat

MD5 3b400e42685b3fa8df13b8cd97bedc3c
SHA1 8cc19661310675e1a823168dcf14343514d6532c
SHA256 eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719
SHA512 463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapdel.bat

MD5 20be78849f16f8008914d8146b5a06f3
SHA1 7025a9cf11277fcafb527a1b6bd72fa9e467d6e2
SHA256 fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2
SHA512 0f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

MD5 3904d0698962e09da946046020cbcb17
SHA1 edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256 a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512 c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs

MD5 106bcfcc67890864960720c1ef24d49c
SHA1 80afac8bf05f1aae0033b286f4e10e8ff15ef6d7
SHA256 857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b
SHA512 ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.bat

MD5 1d547f162cc179e515400745d47a9815
SHA1 aa57115d87770d696b0a5ac810be261c06d623db
SHA256 9de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab
SHA512 18ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.cer

MD5 3d5ffd53be77c32cbb147f32423c0a86
SHA1 ec4f1d31686625ecc004993cd0e89a4136dd3344
SHA256 669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c
SHA512 bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7

\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe

MD5 78c22df03127318893ce5b1fede8401c
SHA1 d640359b4c5d04f666b3c57c762570a6bbb61c2c
SHA256 be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f
SHA512 8070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.au3

MD5 1399f4d45f332e0b7443e91f601cc4e5
SHA1 4fafcd4d415f977a018b3fb169d4982de5e62aaf
SHA256 9dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b
SHA512 fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf

MD5 b6aada0cbed06889053a05b66f146979
SHA1 823025f02b355b37df7d7657b0f2b4d3584891a5
SHA256 a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707
SHA512 9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.cat

MD5 0365c95d5be2b3d314dcc019380c0e11
SHA1 c269cee763f580e890d2eae42a8e98116e04a232
SHA256 6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503
SHA512 9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

C:\Users\Admin\AppData\Local\Temp\Cab2ADA.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2AFC.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.sys

MD5 3c32ff010f869bc184df71290477384e
SHA1 9dec39ca0d13cd4aadf4120de29665c426be9f2b
SHA256 55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b
SHA512 2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

C:\Windows\Temp\Cab2D98.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar2DE9.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF

MD5 6855a9c34a2bd45ce302e8635a7913a5
SHA1 3b1a911a944eb1970a9fd8501a45bfbfca825f57
SHA256 91e27001efcbc2ef7ac66bf564d296a42640899b75b821037ff607b13beefbcf
SHA512 847183d9029374a7be71682a8bc7d9c748349c82b316bc013e29a88493dd6100b64614afbeb0a0e53e3eeedbb3ed56c0099642e352162bd3f7e74432c90db63e

C:\Windows\System32\DriverStore\INFCACHE.1

MD5 e27e5ee5c5c2c8d742bdd8d187a101f2
SHA1 17e7ef7c6aff9a1858bc8db391b3841f0bb498ea
SHA256 4c6f56bf5f87f209aeb6f0a38ab994b6948e6529b9d9e09601804791eaca3416
SHA512 4ad3d84230ab62c37fca393970e24dd40ec4887915a61ef7b10aff9b41153f21e971890bb08d2a73a969cf0b239ff13d3e6e2c16aec99cee0e1d8cb92368af15

C:\Windows\inf\oem2.PNF

MD5 e8b3eee05aeb838e7b93c27837d116db
SHA1 5ea7e83df7332f9fc9ba5fa63a0bbc034082a9f9
SHA256 0117cb5a10a89d6f70b8cdb0058fd177cf5f4bc0d2d95c08113d9d97fd24d77b
SHA512 c24172409b03bd27f458c4e6c93f65fe8460048fe2829e51f664e35393a2ab7123bd24ba9e30a1d9d0b61a6fab9c21c91ec64ce24849f4f92c492568db2b6675

memory/2644-363-0x00000000003D0000-0x00000000003F6000-memory.dmp

C:\Program Files\OpenVPN\tap\x32\tap0901.sys

MD5 432d9d823c4c26b6070c41bad4404ce4
SHA1 5e562e4b8a04dc61614423d0440f2057a0e55059
SHA256 741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5
SHA512 b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084

C:\Program Files\OpenVPN\tap\x32\tap0901.cat

MD5 fb34d08569af3a01758d4bf629a3aa0d
SHA1 d84aa4acf33724ea68d0f60ffbce0afebc583d95
SHA256 aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9
SHA512 df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2

C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf

MD5 35589b966c65a52a1c95791bbcd80543
SHA1 d65994dd38de0e1971f8c99a048c46acc284e8bf
SHA256 8892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6
SHA512 ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f

C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn

MD5 bbec26e2402902591d21c4dad4206f30
SHA1 06d41d840116f75beeb56002b90182eb88cded86
SHA256 e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee
SHA512 d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859

C:\Program Files\OpenVPN\ssleay32.dll

MD5 d5bbd87e924eb25c9dccf3cf719ec3f0
SHA1 53318e7eef3422af92669df2530542d830fe1985
SHA256 7bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6
SHA512 2793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb

C:\Program Files\OpenVPN\openvpn.exe

MD5 abd63e52fd0eb910a8d3eccb247ab25d
SHA1 8ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910
SHA256 83bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4
SHA512 6df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627

C:\Program Files\OpenVPN\openvpn-run.exe

MD5 a04d972fa20f1b04802448756f9f3a49
SHA1 a99c091155100c71b631386604bc045d86e843c5
SHA256 97cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d
SHA512 413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16

C:\Program Files\OpenVPN\openvpn-gui.exe

MD5 a6476027f3d13292599be72b672d0eba
SHA1 00fefcd36c7743499aec9a8d2c5076e1f1605639
SHA256 9412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b
SHA512 8033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb

C:\Program Files\OpenVPN\openssl.exe

MD5 482989dd49b3fd50dfc63d4555f7ac34
SHA1 8bd69d6f676992c37de9554b1be633a30298047b
SHA256 2f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed
SHA512 8647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943

C:\Program Files\OpenVPN\libpkcs11-helper-1.dll

MD5 b953c29a14e9a1de3634894ae338132d
SHA1 17adfb1793bcf320a8eab328b83caf1fff905dae
SHA256 65848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394
SHA512 0f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808

C:\Program Files\OpenVPN\liblzo2-2.dll

MD5 33120addb41cebf8bef95c71cf2166c8
SHA1 07ad36f3303fc95c0c914224ce0ac66cbe191042
SHA256 81d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df
SHA512 cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f

C:\Program Files\OpenVPN\libeay32.dll

MD5 88a5e21b46019e6632820a7ab72c4897
SHA1 3829dade8363cc3000fee0adc760614755c69bc4
SHA256 6fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225
SHA512 b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9

C:\Program Files\OpenVPN\devcon32.exe

MD5 b40fe65431b18a52e6452279b88954af
SHA1 c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256 800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512 e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

C:\Program Files\OpenVPN\cpau.job

MD5 b47e8a3ea1bf24b7238471f3ef4c2012
SHA1 b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e
SHA256 978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46
SHA512 4a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237

C:\Program Files\OpenVPN\cpau.exe

MD5 7100f979b8516b8c1ae6ff858435626e
SHA1 c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7
SHA256 5ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3
SHA512 d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593

C:\Program Files\OpenVPN\cpau-run.exe

MD5 7e54c20a0658b2691e95935231e2539e
SHA1 51a5b9a034104563100de5190220cfc8b73afadc
SHA256 16c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d
SHA512 98e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\OPENVP~1.CS

MD5 d488d8de97683b833c32bbe531a3f8c1
SHA1 4d5e1461bf19d1e46ee184235913d5e83f638f6f
SHA256 cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b
SHA512 d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\make.bat

MD5 53aff72e284f8b212a7d88abb0dc8763
SHA1 01eb94360f2190f963010b93147999a2e5c28e4e
SHA256 4355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35
SHA512 940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\cpau-run.cs

MD5 204f9556853cf1f01dd6ef9b6e93c89e
SHA1 1f90491b6acf00025df95edcf485dacb0657c541
SHA256 f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae
SHA512 01e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:39

Reported

2024-06-02 01:41

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\SET4BDE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\drivers\SET4BDE.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\tap0901.sys C:\Windows\system32\DrvInst.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 C:\Windows\SysWOW64\certutil.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\tap0901.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.PNF C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A09.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\oemwin2k.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0B.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A09.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0A.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 316 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 316 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 316 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe
PID 1696 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 888 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 888 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 888 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 888 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 888 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 888 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 888 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 888 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wscript.exe
PID 888 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 888 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 888 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 888 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
PID 888 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
PID 888 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe
PID 888 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 888 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe
PID 888 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 888 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 888 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2244 wrote to memory of 1264 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2244 wrote to memory of 1264 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2244 wrote to memory of 760 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2244 wrote to memory of 760 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 888 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\.ovpn" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"

C:\Windows\SysWOW64\certutil.exe

certutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"

C:\Windows\SysWOW64\find.exe

find.exe /I "successfully"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f942a4e1-6238-f944-a88b-ce84c26b9810}\oemwin2k.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000138"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S

C:\Windows\SysWOW64\reg.exe

reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0002" /V "Characteristics" /T REG_DWORD /D "0x89" /F

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /F /T /IM "autoit3.exe"

C:\Windows\SysWOW64\xcopy.exe

xcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 11

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.ico

MD5 069888d95f71a29ec6f8fe4b4e124adb
SHA1 353821428d6dded375f64e2c75f6cfd44b4c3f49
SHA256 bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11
SHA512 0875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe

MD5 abc6379205de2618851c4fcbf72112eb
SHA1 1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

memory/1696-75-0x0000000000400000-0x0000000000402000-memory.dmp

memory/1696-76-0x0000000000401000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OpenVPN\install.bat

MD5 3b400e42685b3fa8df13b8cd97bedc3c
SHA1 8cc19661310675e1a823168dcf14343514d6532c
SHA256 eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719
SHA512 463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapdel.bat

MD5 20be78849f16f8008914d8146b5a06f3
SHA1 7025a9cf11277fcafb527a1b6bd72fa9e467d6e2
SHA256 fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2
SHA512 0f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe

MD5 3904d0698962e09da946046020cbcb17
SHA1 edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256 a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512 c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs

MD5 106bcfcc67890864960720c1ef24d49c
SHA1 80afac8bf05f1aae0033b286f4e10e8ff15ef6d7
SHA256 857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b
SHA512 ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.bat

MD5 1d547f162cc179e515400745d47a9815
SHA1 aa57115d87770d696b0a5ac810be261c06d623db
SHA256 9de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab
SHA512 18ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.cer

MD5 3d5ffd53be77c32cbb147f32423c0a86
SHA1 ec4f1d31686625ecc004993cd0e89a4136dd3344
SHA256 669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c
SHA512 bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe

MD5 78c22df03127318893ce5b1fede8401c
SHA1 d640359b4c5d04f666b3c57c762570a6bbb61c2c
SHA256 be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f
SHA512 8070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tapadd.au3

MD5 1399f4d45f332e0b7443e91f601cc4e5
SHA1 4fafcd4d415f977a018b3fb169d4982de5e62aaf
SHA256 9dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b
SHA512 fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf

MD5 b6aada0cbed06889053a05b66f146979
SHA1 823025f02b355b37df7d7657b0f2b4d3584891a5
SHA256 a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707
SHA512 9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.cat

MD5 0365c95d5be2b3d314dcc019380c0e11
SHA1 c269cee763f580e890d2eae42a8e98116e04a232
SHA256 6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503
SHA512 9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

\??\c:\users\admin\appdata\local\temp\openvpn\files\tap\x64\tap0901.sys

MD5 3c32ff010f869bc184df71290477384e
SHA1 9dec39ca0d13cd4aadf4120de29665c426be9f2b
SHA256 55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b
SHA512 2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\config\LNKRIV~1.OVP

MD5 bbec26e2402902591d21c4dad4206f30
SHA1 06d41d840116f75beeb56002b90182eb88cded86
SHA256 e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee
SHA512 d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau-run.exe

MD5 7e54c20a0658b2691e95935231e2539e
SHA1 51a5b9a034104563100de5190220cfc8b73afadc
SHA256 16c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d
SHA512 98e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openvpn.exe

MD5 abd63e52fd0eb910a8d3eccb247ab25d
SHA1 8ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910
SHA256 83bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4
SHA512 6df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\tap0901.sys

MD5 432d9d823c4c26b6070c41bad4404ce4
SHA1 5e562e4b8a04dc61614423d0440f2057a0e55059
SHA256 741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5
SHA512 b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\tap0901.cat

MD5 fb34d08569af3a01758d4bf629a3aa0d
SHA1 d84aa4acf33724ea68d0f60ffbce0afebc583d95
SHA256 aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9
SHA512 df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x32\oemwin2k.inf

MD5 35589b966c65a52a1c95791bbcd80543
SHA1 d65994dd38de0e1971f8c99a048c46acc284e8bf
SHA256 8892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6
SHA512 ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\ssleay32.dll

MD5 d5bbd87e924eb25c9dccf3cf719ec3f0
SHA1 53318e7eef3422af92669df2530542d830fe1985
SHA256 7bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6
SHA512 2793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\OPENVP~2.EXE

MD5 a04d972fa20f1b04802448756f9f3a49
SHA1 a99c091155100c71b631386604bc045d86e843c5
SHA256 97cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d
SHA512 413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\OPENVP~1.EXE

MD5 a6476027f3d13292599be72b672d0eba
SHA1 00fefcd36c7743499aec9a8d2c5076e1f1605639
SHA256 9412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b
SHA512 8033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\openssl.exe

MD5 482989dd49b3fd50dfc63d4555f7ac34
SHA1 8bd69d6f676992c37de9554b1be633a30298047b
SHA256 2f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed
SHA512 8647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\LIBPKC~1.DLL

MD5 b953c29a14e9a1de3634894ae338132d
SHA1 17adfb1793bcf320a8eab328b83caf1fff905dae
SHA256 65848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394
SHA512 0f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\LIBLZO~1.DLL

MD5 33120addb41cebf8bef95c71cf2166c8
SHA1 07ad36f3303fc95c0c914224ce0ac66cbe191042
SHA256 81d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df
SHA512 cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\libeay32.dll

MD5 88a5e21b46019e6632820a7ab72c4897
SHA1 3829dade8363cc3000fee0adc760614755c69bc4
SHA256 6fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225
SHA512 b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon32.exe

MD5 b40fe65431b18a52e6452279b88954af
SHA1 c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256 800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512 e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau.job

MD5 b47e8a3ea1bf24b7238471f3ef4c2012
SHA1 b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e
SHA256 978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46
SHA512 4a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\cpau.exe

MD5 7100f979b8516b8c1ae6ff858435626e
SHA1 c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7
SHA256 5ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3
SHA512 d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\OPENVP~1.CS

MD5 d488d8de97683b833c32bbe531a3f8c1
SHA1 4d5e1461bf19d1e46ee184235913d5e83f638f6f
SHA256 cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b
SHA512 d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\make.bat

MD5 53aff72e284f8b212a7d88abb0dc8763
SHA1 01eb94360f2190f963010b93147999a2e5c28e4e
SHA256 4355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35
SHA512 940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16

C:\Users\Admin\AppData\Local\Temp\OpenVPN\Sources\cpau-run.cs

MD5 204f9556853cf1f01dd6ef9b6e93c89e
SHA1 1f90491b6acf00025df95edcf485dacb0657c541
SHA256 f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae
SHA512 01e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177