Analysis Overview
SHA256
8ca04d27ef8c28e0edac3b740ebe7fb8839b4794752a0d359ae18de22fc6be35
Threat Level: Known bad
The file Radmin_VPN_1.4.4642.1.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Drops file in Drivers directory
Blocklisted process makes network request
Adds Run key to start application
Enumerates connected drives
Modifies Windows Firewall
Downloads MZ/PE file
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 15:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 15:10
Reported
2025-01-27 15:11
Platform
win10v2004-20241007-en
Max time kernel
28s
Max time network
29s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\Teredo | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords\Teredo\Collection | C:\Windows\System32\svchost.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\RvNetMP60.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SETE34B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SETE34B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RadminVPN = "\"C:\\Program Files (x86)\\Radmin VPN\\RvRvpnGui.exe\" /minimized" | C:\Windows\system32\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\SETE197.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\SETE1A7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\SETE1A7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\RvNetMP60.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\SETE186.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\RvNetMP60.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\NetMP60.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\netmp60.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\SETE186.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\SETE197.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1a1bddba-f89a-634a-9098-a87b25621368}\netmp60.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\NetMP60.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netmp60.inf_amd64_f32b93923791d26a\netmp60.PNF | C:\Windows\Installer\MSIE05E.tmp | N/A |
| File opened for modification | C:\Windows\System32\RadminVpn_setupapi_20250127_151108828.log | C:\Windows\Installer\MSIE05E.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\boot.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvFwHelper.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1038.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1049.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\amt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-errorhandling-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_da_DK.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\imrsdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\Qt5Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\shelper.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1086.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-rtlsupport-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-sysinfo-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1036.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1042.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\platforms\qwindows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\voicex.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\WinLpcDl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1031.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\Driver.1.0\NetMP60.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\imageformats\qico.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_ja_JP.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-debug-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-profile-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvGuiStarter.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1044.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-datetime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\drvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_sv_SE.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvUESClient.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1045.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\2052.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\Driver.1.1\NetMP60.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_hr_HR.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvROLClient.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_tr_TR.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvTRSConnect.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\amt.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\Driver.1.0\RvNetMP60.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_bg_BG.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1040.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_uk_UA.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\vcintcx.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_zh_CN.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_zh_TW.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1025.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-console-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-memory-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\Qt5Svg.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_fi_FI.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\rserv35ml.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\RvRvpnGui_sk_SK.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\vcintsx.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-core-libraryloader-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1048.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Radmin VPN\1032.lng_rad | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDA24.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9}\ProductIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57d12b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\e57d12f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE05E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9}\ProductIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\Installer\MSIE05E.tmp | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE512.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57d12b.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSIE05E.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Radmin_VPN_1.4.4642.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" | C:\Windows\System32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Installer\MSIE05E.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Installer\MSIE05E.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-TKL5S.tmp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F\f_exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F\f_radmin | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\PackageName = "RadminVPN_1.4.4642.1.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\is-TKL5S.tmp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\ProductName = "Radmin VPN 1.4.1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\PackageCode = "17C5BD852BFC91540874754C6DF8C806" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DC8202FE7C90E71498671B8FE6BB092E\9713ADC21A76A014189ABAA1F48DD99F | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\Version = "17044002" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DC8202FE7C90E71498671B8FE6BB092E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9713ADC21A76A014189ABAA1F48DD99F\f_viewer | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9713ADC21A76A014189ABAA1F48DD99F\ProductIcon = "C:\\Windows\\Installer\\{2CDA3179-67A1-410A-81A9-AB1A4FD89DF9}\\ProductIcon" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Radmin_VPN_1.4.4642.1.exe
"C:\Users\Admin\AppData\Local\Temp\Radmin_VPN_1.4.4642.1.exe"
C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp" /SL5="$6020E,21145108,189952,C:\Users\Admin\AppData\Local\Temp\Radmin_VPN_1.4.4642.1.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3E3BCA824BD2BAE305C0748D96207BAB
C:\Windows\Installer\MSIE05E.tmp
"C:\Windows\Installer\MSIE05E.tmp" install "C:\Program Files (x86)\Radmin VPN\Driver.1.1\NetMP60.inf" "C:\Program Files (x86)\Radmin VPN\Driver.1.0\NetMP60.inf" ad_InstallDriver_64 ""
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "c:\program files (x86)\radmin vpn\driver.1.1\netmp60.inf" "9" "42f731a47" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\radmin vpn\driver.1.1"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c36c271bc64eefc9:RVpnNetMP.ndi:15.39.54.8:{b06d84d1-af78-41ec-a5b9-3cce676528b2}\rvnetmp60," "42f731a47" "0000000000000154"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1CD0321E506105EB60F74B62D580D6C0 E Global\MSI0000
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Radmin VPN Control Service" dir=in action=allow program="C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe" enable=yes profile=any edge=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Radmin VPN icmpv4" action=allow enable=yes dir=in profile=any remoteip=26.0.0.0/8 protocol=icmpv4
C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe
"C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe" /service
C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe
"C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe" /show
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ipv4 set interface interface="Radmin VPN" metric=1
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe interface ipv4 set interface interface="Radmin VPN" metric=1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ip delete route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.1
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe interface ip delete route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ip add route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.1 publish=Yes metric=9256
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe interface ip add route prefix=0.0.0.0/0 interface="Radmin VPN" nexthop=26.0.0.1 publish=Yes metric=9256
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ip add address name="Radmin VPN" addr=26.147.8.132 mask=255.0.0.0 gateway=26.0.0.1 gwmetric=9256
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe interface ip add address name="Radmin VPN" addr=26.147.8.132 mask=255.0.0.0 gateway=26.0.0.1 gwmetric=9256
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\netsh.exe interface ipv6 add address interface="Radmin VPN" address=fdfd::1a93:884
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe interface ipv6 add address interface="Radmin VPN" address=fdfd::1a93:884
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e.6.c.5.b.4.3.9.c.4.6.d.5.2.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 167.57.26.184.in-addr.arpa | udp |
| N/A | 255.255.255.255:67 | udp | |
| US | 8.8.8.8:53 | fail.radminte.com | udp |
| GB | 57.128.187.188:17301 | fail.radminte.com | tcp |
| CA | 148.113.190.78:17301 | fail.radminte.com | tcp |
| US | 8.8.8.8:53 | 188.187.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.113.148.in-addr.arpa | udp |
| GB | 198.244.203.247:17301 | fail.radminte.com | tcp |
| US | 8.8.8.8:53 | 247.203.244.198.in-addr.arpa | udp |
| GB | 198.244.203.247:17301 | fail.radminte.com | tcp |
| US | 8.8.8.8:53 | win1910.ipv6.microsoft.com | udp |
| US | 8.8.8.8:53 | 110.92.254.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.254.169.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 132.8.147.26.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | update.radmin-te.com | udp |
| GB | 51.89.153.153:80 | update.radmin-te.com | tcp |
| US | 8.8.8.8:53 | 153.153.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.26.in-addr.arpa | udp |
| GB | 51.89.153.153:80 | update.radmin-te.com | tcp |
Files
memory/3308-0-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3308-2-0x0000000000401000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-O2NFG.tmp\Radmin_VPN_1.4.4642.1.tmp
| MD5 | ec5312e06da51691d2e26820f3c93ece |
| SHA1 | 552bceec2bbb0fdc0472eba0bb4c5993b35b0a83 |
| SHA256 | 421cb7e48e3063d927eefe28940e119fb1309a3990bc7325c7f7052a2b286a09 |
| SHA512 | 4fdbbb662b0a8ef4770cd18b358135557ec0134e87365eb800520ce8d87fb8cca2f28c572fd50346daea0964eb62524b9ac7a5fc0e34c30500358cce4b90fb0a |
memory/2136-7-0x0000000000400000-0x000000000053C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-TKL5S.tmp\Rvis_install_dll.dll
| MD5 | 2cf9bac0b1e6af2f444e993659454476 |
| SHA1 | 22ca45a9e2f9f17e95421c722954fdb352a4c008 |
| SHA256 | 19d00d00079177f3e78533ecb9f2e797092dd4d6bddae7d394218501afa4d51e |
| SHA512 | cb6ec66415c50bc9c807def6a0eea79dc4dda73a9c1d2a5d077121fb21c7f4486cbe28784eb5c4c5d9e95d98288ba6d4eece1ca0d3c838f7bd58e97c81294bdb |
C:\Users\Admin\AppData\Local\Temp\is-TKL5S.tmp\RadminVPN_1.4.4642.1.msi
| MD5 | 896d5c916b19c7a1ad8d11b1d0518c5e |
| SHA1 | 351600ac2237432fec3e79db9e1d2a22a5e9a6d9 |
| SHA256 | 09388bf21b20c4f5ef0674bd8a00a0eb11225174f767b548b5bbb7bfab2b486f |
| SHA512 | 73afa4574ce1b9e3804958c78015182f908836ed171efa6cfd11cebd0f3040ca129b290026f27f5fcc16b1c33c2f8d01cf4734bd60b30ad567cf65eb029cf076 |
C:\Program Files (x86)\Radmin VPN\RvRvpnGui.exe
| MD5 | 8dfb8feccc75f737363de85f66e753a6 |
| SHA1 | 7265f3dc35904256e1f33f8cc3bab085e7bb4eb2 |
| SHA256 | 716a11cdc1b12827ee18027caa947f813cb3550412b5dcaae427be3bbcc0221f |
| SHA512 | 0bc0ff8c7a95ca26320c3161116d1bdd868eb36b6eea254f08718a4be1961ffa386c9d6ee4dfbcda434130d7139ce230c7b7c620361169e5e5c4b8a74875015c |
C:\Windows\Installer\MSIE05E.tmp
| MD5 | 2a8bd75bda91871347497a88f1bd8a1d |
| SHA1 | 67f58b4506d51931df5f1e07ab0020e587308759 |
| SHA256 | 383e45cfe4d4f54e6d0743f2ee8c1c7a54540c59cd071df1e6b978770b1fcba6 |
| SHA512 | 58063c46af7c3c409cc1fa450af22849c82034c1046fc63e23f55f9ea70b4a3a9ae3a2e591f67569abc404ce0e415436f20973c4d37ac79762675e65d3b36df6 |
C:\Program Files (x86)\Radmin VPN\Driver.1.1\NetMP60.inf
| MD5 | 79e0ccabcf7d9d6077deeb2c1acbc926 |
| SHA1 | 4577c7377043569adc29804d0b7585b63f4252ca |
| SHA256 | ef6769520c94a3b5885458cd19696b45cf79010e9757729b2049ba6782fecfd7 |
| SHA512 | 2d4343e011f1557acbda0fdb096dc106c4345aed8fc220f4d496d72052441331d1568e0974fc4df72e9ce6f1a6aaaa727c66e0b70be91457bf80e4e9e5e45844 |
\??\c:\program files (x86)\radmin vpn\driver.1.1\NetMP60.cat
| MD5 | ceff01d9a2585878343f1b10ac597c7a |
| SHA1 | 030e3b4382eb00f1ecfd1c2fc8e59c5b5594d991 |
| SHA256 | 6ba444527b66803b9fa43b80509788c761fa18b52360e27b74cc2e8a1c115b3a |
| SHA512 | 8f7a6b4cf9e753778a63460f39bc1d82f53d8d01f531227f1c60202079a933471c6c4479e9aa8fe8020ba78f4762f0d4a985f8203542ab663799449291d9bec1 |
\??\c:\PROGRA~2\RADMIN~1\DRIVER~1.1\RvNetMP60.sys
| MD5 | 4c175bfd31248cbade0f875dbf9f54e6 |
| SHA1 | ce9074101ec98d66c46dfe2f52421e467dcf2694 |
| SHA256 | 88765957ac41e3f00f1fd98393342ea40ddcc05952aba418e099d866296c1bf2 |
| SHA512 | ed999936d2593ea8895b177f532c7ee76a24a78365839c5c8761912a8848d2a650a834114c632853356aec8fb470e722a8e6771123c74a4185bf54250440fc3d |
C:\Windows\Installer\MSIE512.tmp
| MD5 | f6de727441d84b427e7d2b4e9ec1db17 |
| SHA1 | 6d3b8159796bef81166271ae4f8372d5148d9488 |
| SHA256 | b90ffb402c6dd7607fe48666f5944fea43083c30f54e41bc589226999b5a2b01 |
| SHA512 | 9e0333f6ad668bc268af9699dea98cf21c3ada33ccc254535b0b96c8cfb4f2e58392d55664b6ce8d05bc06c5fdbf156b300cb51503222e6d0121cfdce443818f |
C:\Program Files (x86)\Radmin VPN\RvControlSvc.exe
| MD5 | 3d1b360c5a73c72cbdeac1ada8813c38 |
| SHA1 | 06d0cb4c0a15a2a62df9f15e4c4dc016c1350517 |
| SHA256 | 7e9b855c9bd2932e94a21635a58c572c4c7c2b0d2ce44dc2200b299290ea281a |
| SHA512 | f57adad8bfe7784c5d5bcc82156582d7ff479b4acccd04b6b7658960aab3989651f9fc2b144f468d778272670f263adc6df95fbcfb8716242f19371eb3017ddd |
C:\Program Files (x86)\Radmin VPN\shelper.dll
| MD5 | 37146d9781bdd07f09849ce762ce3217 |
| SHA1 | a0b1d8943aecf9a35b330e5f3c3d63bea9b2ceac |
| SHA256 | d89daf6bcd5cafa3c7f6173f835ccf045baf8e7134f868819db6fd7615959ac4 |
| SHA512 | 98973fd690cb43a6c88b6d53808ec998a9b627759c316e84621e6527d1ad1734d7cbc9d9f5ebf422a639c1946fffd284306a505eb4395abdec8aee32257ff609 |
C:\Program Files (x86)\Radmin VPN\RvROLClient.dll
| MD5 | 1f4369227916423f70da0112077cc180 |
| SHA1 | fb4ae9f45a31346121b138b545bdc05412c6fa5e |
| SHA256 | 5af3ab5bcd4d0edcd3294a2dc816f2669ddd08bbfc565c51ddaf3a276c38c6e9 |
| SHA512 | 45bcd06ab4ac0bf86af3377d07cba6110b00ed912b377b2e2f04079bbc0a7d6ecdac511d76bcc33878543b053f294e1c98ebb60a65692ea901b5cc829f735e04 |
C:\Program Files (x86)\Radmin VPN\RvEnetConnect.dll
| MD5 | 5dc885ab290f62810981f54861382c10 |
| SHA1 | a39867ff6efe6d5ac90f8573f61c24189c14b6e0 |
| SHA256 | 02829cb94bae4385e197be5dd2a932a2477f9239bb0d89dc117020d1e09d2f46 |
| SHA512 | f61ec585e2eaaa350afaf35eee04d258d3fdfeecf367378f3e5c6595dfb8e515a0184ab50c40979b9afd35b88567d991989074bb376eff9ea42522b0c67b216c |
C:\Program Files (x86)\Radmin VPN\RvTCPConnect.dll
| MD5 | 1686fc54af6d8e1297fe811c8a12c193 |
| SHA1 | 7646435404c3766fc2e895799b7cf3ff8a202f4a |
| SHA256 | 22470f4001c91b695826db8b89fa470b3a211344c4c43e3c45aac371c6f4bd94 |
| SHA512 | 33d68b3f22f32fce2c743f61799dd58b4a177d18a031e2bf8196821f6d5bb0c5c09178775eab0dc9136d4c2e677ce09603b2ea76f2929633e1d463261a8da1f6 |
C:\Program Files (x86)\Radmin VPN\RvTRSConnect.dll
| MD5 | 734a2822348ab0a4e249f2b065847077 |
| SHA1 | 002c8dfc2e63ab51dbba1c6cebd18b2d025912bc |
| SHA256 | c2c024be677b875bf9f88dae7135ba92614e983d28c2dac513d09061400e661f |
| SHA512 | 70f5cccbb7236a0a845487324bbe6f9cf3ef635389f96ed54e5b678917bd90b53a610621c8eb9980d8f596b8769c3779984eaa08bf4671d01a465ec2cc3aced9 |
C:\Program Files (x86)\Radmin VPN\RvRolUpdater.dll
| MD5 | 8ea6a38a4d7b4e51f1ab046658135c4e |
| SHA1 | 7f06702a94d3073a975d31c4627639f7f046ba7c |
| SHA256 | c77034de1ffebac41a6f299a07ee19b7324e20cb7270ed0351d339efcbce4992 |
| SHA512 | 0bcfa7d4c50e9baa00275ce7a9c9c1d4142686b1c332e486f50503cc6b47b847e04848aa06f54afe0f910f20044b9b7b3b569739de8399510b20b70a3e274082 |
C:\Program Files (x86)\Radmin VPN\RvDownloader.dll
| MD5 | dbd19ec366fdc6cb44a6b879d5b0b25e |
| SHA1 | 7eef3bef49d5c49baba2b38d2f6751fe3f78d194 |
| SHA256 | 2b6e0e7ab342da05460986fa161c5ec60803235852c1277599064459395e30fc |
| SHA512 | 7f93fb753c8bf803f21b95dae4754b3edb967428918567da6825b7a4f68b3a4950d9442f4f666643b3d37fda32a6b4a05e8069d79fc49756fd9b9fdd3b83d34b |
C:\Program Files (x86)\Radmin VPN\RvUESClient.dll
| MD5 | 1cc25786d6c26010f5552d9a3f4db024 |
| SHA1 | c4d07fb9608c2c594efa79dfed75d32d39e8bb2a |
| SHA256 | 042a6c071a8b4d6230ea0b5c292aa2f6ca926e81f7a834c0a8e974d07f5c484f |
| SHA512 | fd4f18bd9d35ac2a6dea88bfe38b4b4144b40dd67214ebf2c6695b5123d2d10af4420eaf553042cd3983d7f21d15fd216c0b2639c207b53960998b719996a69d |
memory/2136-282-0x0000000000400000-0x000000000053C000-memory.dmp
memory/3308-280-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Config.Msi\e57d12e.rbs
| MD5 | c8d157e6f8ffca4ca227de577113fe47 |
| SHA1 | 181a855f15156f1f124fea91c4fe90efeddd31db |
| SHA256 | 19f8847e8d1682eb95d4869d3506655152029821eea35c12ceaa72a6c3d1f7ed |
| SHA512 | b0ecfffef53d0679b3aa8f42c6f5067379d6495ec389a0d955b28ac68167d006267e5d5298a20fd623cb78106f0399385e2f6645574bd405555059b54514d857 |
C:\Program Files (x86)\Radmin VPN\Qt5Gui.dll
| MD5 | b2d36d9e7aeb6fe317deaaf7cc4a34ed |
| SHA1 | 7eb1cdcf9a59a348064c2f41eedfd73bc00e7724 |
| SHA256 | 63c05cfdd2ee44057e619d1a9acead538e867cbee55873529d01686d1ec678a6 |
| SHA512 | 5bdedc810d891158e3d7b35c402a29d6eb0523fcd75465f0ccd620ddfdb21871f41795535cea6b999cf3de6a2994603be0d02db9258b2afea07bda4e658b4178 |
C:\Program Files (x86)\Radmin VPN\Qt5Network.dll
| MD5 | d52831bba5f65db7a1dd310c65c63ca1 |
| SHA1 | 32ea3c1ec75c919ea587ae69d172345bb78b3aa0 |
| SHA256 | 5ffbf8fd312922fc7aab26654f0da5d41cde2734c5321f8f4bcfd596c2660825 |
| SHA512 | 796e9be75a43167bef2d8a8f5539a59a97c30ca5c2392309a3e447a1eb5369a623a3979bd214c2d210664587b289ecc31c7e92a8b14faf264d5c81f70743aa60 |
C:\Program Files (x86)\Radmin VPN\vcruntime140.dll
| MD5 | 1b171f9a428c44acf85f89989007c328 |
| SHA1 | 6f25a874d6cbf8158cb7c491dcedaa81ceaebbae |
| SHA256 | 9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c |
| SHA512 | 99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1 |
C:\Program Files (x86)\Radmin VPN\Qt5Widgets.dll
| MD5 | f7a79aaa6a0075311756a488e49d12e0 |
| SHA1 | 7608655af255b78f05b012497297e974044736f6 |
| SHA256 | 508f772bde00e8cee5e5d185b3e44003982843d283e8448e3a4b6b29b4ff28a8 |
| SHA512 | 403b54dbc3affe2c6a00c7697ba5898c7b21cc38a81002d7d19c29728615a906b417ecc69568a2932c4ed4c866ea17ec83af61a568f482965776821df9cee18a |
memory/3308-324-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2136-323-0x0000000000400000-0x000000000053C000-memory.dmp
C:\Program Files (x86)\Radmin VPN\Qt5WinExtras.dll
| MD5 | a3bd87494bc7174bff35998c4f418afe |
| SHA1 | 0ed2b03bc45135af2367be0dc2d95073752c0da5 |
| SHA256 | 3245b97f939bbfb0d6ad0732c48097a45b3b7a7f1081eba41562c08ff33130cd |
| SHA512 | 56702fa23547c018deb71669b71e63902204645e57946c5ea8656d4a6bbdcff04683de20432b46321fbaad84ce877e3ff5c0ac6dadc06a97cfed544055ae2d7e |
C:\Program Files (x86)\Radmin VPN\Qt5Svg.dll
| MD5 | cec0a6577e3f784bf44a7a13f88bbbe5 |
| SHA1 | 138974a9f5e4b2d5dd18c7d135dbd884d99341d6 |
| SHA256 | 674e9e8f298c568798e965a9078f79578b07ef71d02a733231257a435f73b36d |
| SHA512 | eaa9be28b70a56d18094947df2136da9c411539b92b982f4a77b4b097ab5a4dd079b2fbdc3022cf53722eec7147134440500cd9c195d2537142b94919a70d88a |
C:\Program Files (x86)\Radmin VPN\Qt5Core.dll
| MD5 | 84f0b48079bbdcbdaac889074e90cef6 |
| SHA1 | 13be727af609a5aad66144c8f3771ceee1223e27 |
| SHA256 | 36a668c0bc57a86bbdb2ae183110cbacff479eac02e62b405abb7b4da67630c4 |
| SHA512 | 40b60f1716a2cb21b822830208e4951c7edcd902593544b08cda662eb9e2b72d732675051c5f00e9e3e7de4bf681f767d2e8222a4ce587267fb831ee7fd7a048 |
C:\Program Files (x86)\Radmin VPN\msvcp140.dll
| MD5 | 1fb93933fd087215a3c7b0800e6bb703 |
| SHA1 | a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb |
| SHA256 | 2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01 |
| SHA512 | 79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e |
C:\Program Files (x86)\Radmin VPN\platforms\qwindows.dll
| MD5 | 30c24c0cca7c155e221eb2baabddb674 |
| SHA1 | 5ea59ebb936611571549aab2a1dcfd4a5f31924d |
| SHA256 | 8b6af03472ecf29b377c188a25b812ff5635cba77664062263a0e7d47e942ddd |
| SHA512 | 100dcebb05889ba23bda9e6a5e6fb1c97ad1de8223880d9c552132d33284b08ec2e06836e7c6d9ee760eb61c1319f4e1a7819395e00bf773815bd7e7a04022d6 |
C:\Program Files (x86)\Radmin VPN\imageformats\qsvg.dll
| MD5 | 49624471cbc5bfb3206ed00c669baa29 |
| SHA1 | 9ecdf88c1dc80456ebb27be61a3d096fb6a828fd |
| SHA256 | 236367daea763155a50891614609207f022ac55fa1d8d3965813d976179b4fc2 |
| SHA512 | ddde272478642d264fff50ee437b34eb251b6e6ff7fbf9eeb3465a615b6414156631584751fa4f0d09a7a5131ee49d40c63cc4d569a63b0f293a346e99d30595 |
C:\Program Files (x86)\Radmin VPN\imageformats\qico.dll
| MD5 | da81cea0c66193b68ab6373216b8ea4c |
| SHA1 | 029e90a345dea93c8a514f98cbf4741eb8ea7250 |
| SHA256 | 33fac42baec44d498c17cf392a7eb3962b4a67e61a8f309209ede7801b61b3ec |
| SHA512 | be42281515880d450fdfb95a13ae51bfaa4ec22ce1a61fd62270c6fb99923f6cccf27548cc656fb5019ddafc1e58061014983d79b6008f1087e1ef7aded43179 |
C:\Program Files (x86)\Radmin VPN\imageformats\qgif.dll
| MD5 | 8d66762b1dfd8a03616cec05c0c435b0 |
| SHA1 | 89a6819d0e26f8541c1e8f884c85a9ed19106f0a |
| SHA256 | d921d8a72898d9bee3163cdaaf28d71893a9369f30d6ffe0412ed3521a76b251 |
| SHA512 | e6d4d80b3564941000489decf00dd5bdf818fce44a2686397d83e771e8a151af3080e93e1ba04e7ac2c6edd2f77c81adb57fe5277e09fdad43e71a0351efdae2 |
C:\Program Files (x86)\Radmin VPN\RvRvpnGui_en_us.qm
| MD5 | b5765b50115c50042ed96640bbe1c521 |
| SHA1 | db50587e2ab7b08d1f7b0fb390790e6e78645f91 |
| SHA256 | c2d97b39154a54f07dc76f029a2e1219e1e254d8a161308f965a72795d77dad0 |
| SHA512 | b302652873b6fd2ff37d78fb5a6a2cf67fece964ad22e46d4f3b66130211ed46aaab276de97407e345c00b3a7bafeb44622785bfbc02d250e2b663fc8155f419 |