Malware Analysis Report

2025-04-03 10:26

Sample ID 250308-xdcwxa1sht
Target FVGSetup.bin
SHA256 d4c371d9f2dcbf10e5431613552c9402eb2173949438616b831ebe3d9c5d46f3
Tags
latentbot discovery persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4c371d9f2dcbf10e5431613552c9402eb2173949438616b831ebe3d9c5d46f3

Threat Level: Known bad

The file FVGSetup.bin was found to be: Known bad.

Malicious Activity Summary

latentbot discovery persistence privilege_escalation spyware stealer trojan

LatentBot

Latentbot family

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

Loads dropped DLL

Reads ssh keys stored on the system

Executes dropped EXE

Blocklisted process makes network request

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry class

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 18:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 18:43

Reported

2025-03-08 18:49

Platform

win10v2004-20250217-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\DontAsk = "2" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\StubPath = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OPENVPN-GUI /t REG_SZ /d \"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\"" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\ = "OpenVPN 2.6.12-I001 amd64" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\Version = "1" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\IsInstalled = "1" C:\Windows\System32\MsiExec.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\SET5918.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\drivers\SET5CE0.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\drivers\SET52ED.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\SET5CE0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\ovpn-dco.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\SET52ED.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\wintun.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\SET5918.tmp C:\Windows\system32\DrvInst.exe N/A

Reads ssh keys stored on the system

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Windows\\system32\\taskhostw.exe" C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET489D.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET489D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET48AE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\SET5040.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F35.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\tap0901.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\SET503E.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F34.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F36.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET48AD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\tap0901.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET48AE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\SET503F.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\wintun.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F36.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\OemVista.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\oemvista.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF C:\Windows\System32\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\OpenVPN\res\ovpn.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\libcrypto-3-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\libssl-3-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\config-auto\README.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\doc\openvpn.8.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\include\tap-windows.h C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\libopenvpn_plap.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\openvpn.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\openvpn-plap-uninstall.reg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\config\README.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\doc\INSTALL-win32.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\openvpnserv2.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe N/A
File created C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe N/A
File created C:\Program Files\OpenVPN\sample-config\client.ovpn C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\ssl\modules\legacy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\log\README.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\openvpnserv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\tapctl.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\license.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\sample-config\server.ovpn C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe N/A
File created C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\config\empty.ovpn C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe N/A
File created C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe N/A
File created C:\Program Files\OpenVPN\bin\openvpn-gui.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\OpenVPN\bin\openvpn-plap-install.reg C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{68900C00-D1AC-4940-B63A-CABA2BF18B17} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI4B54.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\openvpn.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem5.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI673E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3479.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI4FCA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem4.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\Installer\e5830d3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI36DB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI39BA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\openvpn.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\e5830cf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D4A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI526B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI66EF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI66CF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3A38.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI3A78.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\tapctl_create.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3AB7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3C2F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\tapctl_create.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\e5830cf.msi C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe\JScriptSetScriptStateStarted = "240668984" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\EasyRSA = "\x06OpenSSL" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.ovpn C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\" --command import \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers.OvpnDco = "Drivers" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.GUI = "OpenVPN" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenSSL = "\x06" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\res\\ovpn.ico,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Net\1 = "C:\\Program Files\\FreeVpnGuard\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.Service = "OpenVPN" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.Documentation = "OpenVPN" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\LastUsedSource = "n;1;C:\\Program Files\\FreeVpnGuard\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.SampleCfg = "OpenVPN" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers.Wintun = "Drivers" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\ProductIcon = "C:\\Windows\\Installer\\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\\openvpn.ico" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\ = "Import into OpenVPN-GUI" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\PackageCode = "DA5475FBCED86AC45B29ACF62891E2C1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Version = "33948849" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\ProductName = "OpenVPN 2.6.12-I001 amd64" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72\00C00986CA1D04946BA3ACABB21FB871 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.PLAP.Register = "\x06OpenVPN.Service" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.GUI.OnLogon = "OpenVPN.GUI" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers.TAPWindows6 = "Drivers" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\PackageName = "OpenVPN-2.6.12-I001-amd64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "import" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "\"notepad.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import\command C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe C:\Windows\system32\msiexec.exe
PID 4352 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe C:\Windows\system32\msiexec.exe
PID 4152 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4152 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4152 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4152 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4296 wrote to memory of 3612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 3612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 4524 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 4524 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 684 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 684 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 640 N/A C:\Windows\system32\svchost.exe C:\Windows\System32\sc.exe
PID 4296 wrote to memory of 640 N/A C:\Windows\system32\svchost.exe C:\Windows\System32\sc.exe
PID 3672 wrote to memory of 4896 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\netsh.exe
PID 3672 wrote to memory of 4896 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\netsh.exe
PID 4296 wrote to memory of 3612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 3612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3672 wrote to memory of 2044 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\netsh.exe
PID 3672 wrote to memory of 2044 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\netsh.exe
PID 4296 wrote to memory of 3532 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4296 wrote to memory of 3532 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3672 wrote to memory of 1668 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\netsh.exe
PID 3672 wrote to memory of 1668 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\netsh.exe
PID 3672 wrote to memory of 2772 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\sc.exe
PID 3672 wrote to memory of 2772 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\sc.exe
PID 3672 wrote to memory of 640 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\sc.exe
PID 3672 wrote to memory of 640 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\sc.exe
PID 2236 wrote to memory of 3984 N/A C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe
PID 2236 wrote to memory of 3984 N/A C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe
PID 2236 wrote to memory of 2276 N/A C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe C:\Windows\system32\OpenSSH\ssh-keygen.exe
PID 2236 wrote to memory of 2276 N/A C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe C:\Windows\system32\OpenSSH\ssh-keygen.exe
PID 2380 wrote to memory of 3864 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3864 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 3088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe

"C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /i "C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi" /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding CE447D31B9ECF65DA4648FDB7C3FAFB2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding C0F6DD896AF34A224CC69B51BCB2477D E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Windows\Temp\6c5b298024427ae09dc929e24a09eac899720625ed9544b87e3139526fa6b6c6\wintun.inf" "9" "44006a23b" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "C:\Windows\Temp\6c5b298024427ae09dc929e24a09eac899720625ed9544b87e3139526fa6b6c6"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Windows\Temp\7c447ebf4ac5de88a8a6dc8efe57bcf9e7defd1ad02da8db6410eaef156d88ba\OemVista.inf" "9" "4c96e98cb" "0000000000000150" "WinSta0\Default" "0000000000000154" "208" "C:\Windows\Temp\7c447ebf4ac5de88a8a6dc8efe57bcf9e7defd1ad02da8db6410eaef156d88ba"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf" "9" "4e1f3ffd3" "0000000000000154" "WinSta0\Default" "0000000000000138" "208" "C:\Program Files\Common Files\ovpn-dco\Win10"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "11" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:9ef34515d755ec66:Wintun.Install:0.8.0.0:wintun," "42b53aaff" "0000000000000168"

C:\Windows\System32\netsh.exe

netsh interface set interface name="Local Area Connection" newname="OpenVPN Wintun"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "11" "ROOT\NET\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.27.0.0:root\tap0901," "433338203" "0000000000000138"

C:\Windows\System32\netsh.exe

netsh interface set interface name="Local Area Connection" newname="OpenVPN TAP-Windows6"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "11" "ROOT\NET\0002" "C:\Windows\INF\oem5.inf" "oem5.inf:c695c3de07ba2b5d:ovpn-dco_Device:1.2.1.0:ovpn-dco," "43b135903" "000000000000017C"

C:\Windows\System32\netsh.exe

netsh interface set interface name="Local Area Connection" newname="OpenVPN Data Channel Offload"

C:\Program Files\OpenVPN\bin\openvpnserv.exe

"C:\Program Files\OpenVPN\bin\openvpnserv.exe"

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config OpenVPNService start= auto

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" start OpenVPNService

C:\Program Files\OpenVPN\bin\openvpnserv2.exe

"C:\Program Files\OpenVPN\bin\openvpnserv2.exe"

C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe

"C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe"

C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe

C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe /INSTALL /SILENT

C:\Windows\system32\OpenSSH\ssh-keygen.exe

C:\Windows\system32\OpenSSH\ssh-keygen.exe -t rsa -b 2048 -f C:\Users\Admin\.ssh\id_rsa -q -N ""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbc94ecc40,0x7ffbc94ecc4c,0x7ffbc94ecc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1988 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2116 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2452 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3140 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3764,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4500 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4952 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5252 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5336,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3920 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5104 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3804,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3392,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3360 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3416,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5088,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5240,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4996 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4988,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4780,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4500 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5588,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5596 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5704,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5580 /prefetch:1

C:\Windows\system32\OpenSSH\ssh.exe

C:\Windows\system32\OpenSSH\ssh.exe -N -o StrictHostKeyChecking=no -L 127.0.0.1:8443:127.0.0.1:8443 [email protected]

C:\Program Files\OpenVPN\bin\openvpn.exe

"C:\Program Files\OpenVPN\bin\openvpn.exe" --config "C:\Users\Admin\AppData\Local\Temp\45-3cb5daff-117b-4f0b-9800-c76d6ae5f00b.ovpn"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5116,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4704 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 freevpnguard.zapto.org udp
NL 45.8.144.34:389 freevpnguard.zapto.org tcp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.169.46:443 clients2.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
GB 172.217.169.68:443 www.google.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.193:443 clients2.googleusercontent.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.204.78:443 play.google.com udp
GB 216.58.204.78:443 play.google.com tcp
GB 216.58.204.78:443 play.google.com udp
GB 216.58.204.78:443 play.google.com tcp
US 8.8.8.8:53 2ip.io udp
DE 188.40.167.81:443 2ip.io tcp
DE 188.40.167.81:443 2ip.io tcp
US 8.8.8.8:53 ipv6.2ip.io udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 216.58.213.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.32.36:443 region1.analytics.google.com tcp
BE 108.177.15.154:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com udp
GB 142.250.187.227:443 www.google.co.uk tcp
GB 142.250.187.238:443 fundingchoicesmessages.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
GB 216.58.213.2:443 ep1.adtrafficquality.google tcp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
GB 142.250.200.33:443 ep2.adtrafficquality.google tcp
GB 142.250.200.33:443 ep2.adtrafficquality.google tcp
GB 172.217.169.68:443 www.google.com tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 s0.2mdn.net udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.200.38:443 s0.2mdn.net tcp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 cm.g.doubleclick.net udp
US 8.8.8.8:53 dsum-sec.casalemedia.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 104.18.27.193:443 dsum-sec.casalemedia.com tcp
DE 37.252.171.52:443 ib.adnxs.com tcp
GB 216.58.204.66:443 cm.g.doubleclick.net tcp
GB 216.58.204.66:443 cm.g.doubleclick.net tcp
GB 142.250.180.1:443 tpc.googlesyndication.com udp
US 104.18.27.193:443 dsum-sec.casalemedia.com udp
GB 142.250.200.38:443 s0.2mdn.net udp
GB 172.217.169.68:443 www.google.com udp
GB 216.58.204.66:443 cm.g.doubleclick.net udp
GB 142.250.200.33:443 ep2.adtrafficquality.google udp
GB 216.58.213.2:443 ep1.adtrafficquality.google udp
US 216.239.32.36:443 region1.analytics.google.com udp
NL 45.8.144.34:22 freevpnguard.zapto.org tcp
US 8.8.8.8:53 ade.googlesyndication.com udp
GB 172.217.16.226:443 ade.googlesyndication.com tcp
GB 172.217.16.226:443 ade.googlesyndication.com udp
GB 172.217.16.226:443 ade.googlesyndication.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 e2c69.gcp.gvt2.com udp
CA 34.0.38.213:443 e2c69.gcp.gvt2.com tcp
GB 172.217.16.226:443 ade.googlesyndication.com udp
US 8.8.8.8:53 beacons.gvt2.com udp
GB 216.58.213.3:443 beacons.gvt2.com tcp
US 8.8.8.8:53 e2c71.gcp.gvt2.com udp
ES 34.175.83.78:443 e2c71.gcp.gvt2.com tcp

Files

memory/4352-0-0x00000286799E0000-0x00000286799E1000-memory.dmp

memory/4352-2-0x00000286799E0000-0x00000286799E1000-memory.dmp

memory/4352-1-0x0000000000A10000-0x00000000030B2000-memory.dmp

memory/4352-3-0x0000000000A10000-0x00000000030B2000-memory.dmp

C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi

MD5 635b9d9d72f6e455f35365801fb4b040
SHA1 a9df3d98eecfca7372c03fee38d530f5b7aebcf8
SHA256 525759fe9e52a77a7d2cad99f5af1923d7d3027cab775ccfb7469ce0fd2b1758
SHA512 4321f84f138845d02b0ff3c19d1fd307d5ac0eaea6721ea3d706661be41cfd292d7ad5905fd4a46ab029f9fa8c9a63096d7e1ca56eb8de1e1d161e45c055f633

C:\Windows\Installer\MSI3479.tmp

MD5 f97794a736b3c59ced7c005806fe9000
SHA1 18238e0df4a6a9ed3783449f4d9db0774c5de86a
SHA256 3f591a709e24a1d95fe81cbb7efe336e91a92299a95fdbda91addf9aa0763030
SHA512 6a89c856a0327601a3ad3d837b509c11359d1fc9b28181eac862e1df59aabb91261911e2e8f300a8482890c5bb6f8591cdd2ca0b6a3be7827d4c57ff225b86b5

C:\Windows\Installer\MSI3A38.tmp

MD5 2232c07e354364e0eb1dc80024593826
SHA1 65bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256 fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512 f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572

C:\Windows\Installer\MSI3A78.tmp

MD5 718222e232d11298dfbabbc2b70d8b14
SHA1 89fc560692111c2245694867b8772fd8969f46d2
SHA256 45e855461f5d1be28a2f88416603070bd1778055abdd06834ae58e97b7ddf53c
SHA512 9191961c28a7a4647ae8f9f9e1956d60b97f5f5c3e4e838d888bf78c1ea665e98e8e3c75cc1247a68a89b2413493ea6d39dbc60827eec919ddba0536d793c801

C:\Windows\Installer\MSI3AB7.tmp

MD5 84a1cc9540d5cdad74bc54f8090dd27a
SHA1 c6f82d1491015457785ae0d365e7196d693d9a6b
SHA256 2738720da0b6ce474ca6eb51a92372d047eca2d713c256f0cd6c147ac3a0db21
SHA512 9c25d6e7331844d01d732ac923e99c68f305749d92407c873cd09b451e59a8864001e308864fda319fa4a2bcae9dbe50682201c67901dce14272291dedecd2c8

memory/4352-156-0x0000000000A10000-0x00000000030B2000-memory.dmp

C:\Windows\Temp\6c5b298024427ae09dc929e24a09eac899720625ed9544b87e3139526fa6b6c6\wintun.inf

MD5 8480579050970b0812cc3d9a1bce1340
SHA1 edebebd090602f4eee375ad754c8566d4fda23cb
SHA256 44098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA512 46de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933

C:\Windows\Temp\6C5B29~1\wintun.cat

MD5 faba2ccb8fe366fd281ca6be6d2bb7c2
SHA1 bb7bd32a21f3eba652fde24146387ffc5278143e
SHA256 602187e5470ddbdf9421045bb0515f358c88bf88f59fd8a886fb6373da5d0f82
SHA512 ec424a545e2598f299706499dab07b4d12b0734a52f928216a53bca2b7f384b97bd4fc092d7d68de636a75daf79ac392c4b49b7251ec011236de1659253d6214

C:\Windows\Temp\6C5B29~1\wintun.sys

MD5 1945d7d1f56b67ae1cad6ffe13a01985
SHA1 2c1a369f9e12e5c6549439e60dd6c728bf1bffde
SHA256 eb58bf00df7b4f98334178e75df3348c609ea5c6c74cf7f185f363aa23976c8b
SHA512 09af87898528eaa657d46c79b7c4ebc0e415478a421b0b97355294c059878178eb32e172979ee9b7c59126861d51a5831e337a96666c43c96cb1cf8f11bc0a0f

C:\Windows\Temp\7c447ebf4ac5de88a8a6dc8efe57bcf9e7defd1ad02da8db6410eaef156d88ba\OemVista.inf

MD5 6f5ffb58a9e406ab1643c890e2a198c6
SHA1 3ff1faba00ac18a93e88a6f2bbfa747c9fdc7e0c
SHA256 1327ab3a8c50691f04bea8e2ca356c5b604092a719e219464f8cc4b42e192de9
SHA512 af29bc13cc02238208c51e4e95dd0a4445a952755635a9eab38aa77a5c087cc8e2025af55d8f3a0e9f2430baa91534e7f892bb71aa0ef72bab4483211a845b4b

C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\tap0901.cat

MD5 71ecece58bb00bdc1e728ee28d7a5332
SHA1 4305889415cf95662a30d024f1138f1af224cf42
SHA256 ee062e5ef2743ceab10c64830e4cefe52e35cc1ece85947ac4e61ddd1c0b05f7
SHA512 9b23404d867fc4fd7c7beeba3768e8fed3113cc7430ec1bc9ca7faf6e6105388de7057b1402f9b4ba8fbc11e5fcd3afe14233721e8d15b6c0bed40f65aa5b58b

C:\Windows\Temp\7C447E~1\tap0901.sys

MD5 1bb9772a05517e227d1dafd3936e8f66
SHA1 d695ca5791a4b6a3509939aebdfaf5e229c6fbcf
SHA256 581dcaace05d5c1ac9512457ff50565aca5d904d2c209bd3fc369ca4d4a0d2b1
SHA512 3f1966038f91b887fe1a71474929bd87f3c75091846c6e9563f7424d3a7c19c908f1d874895341c61a868a616aba637e3d4188d4ebb7383087886a13a4dc0aa2

C:\Windows\System32\CatRoot2\dberr.txt

MD5 be209ba860598d787a508a735f90a57b
SHA1 e0b63973643f8423c7dc5eb5a41d224349abd359
SHA256 73286e10fe3420d18872ec0fdb1045c1d4e535682b05218400c0f045390d313d
SHA512 7838990cefa0e55379397e3a3f760bd2ed835a2ce447afa7d757450587df45ef0734be17736474ceb89da479f7899cc88cf3d3ba8395bc62abc79ea6f22c3222

C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf

MD5 77da079a3665afc84d05c3d07bcaa0d0
SHA1 3fbfafe2c08100f5b46b792398c2ecb9157760e9
SHA256 1f6c35bc11d910f91c32ea54894d0fddb0094876bdd526d04a9287d04d636242
SHA512 10fcd8464c6aab386bf2f675175598764e0b784a898b7b450fef3d055ecf902c7a57ac0aef2725b9e6899146e4e9230c8677bfd2a8f18489b642fa6beca25507

C:\PROGRA~1\COMMON~1\ovpn-dco\Win10\ovpn-dco.sys

MD5 5e69b6c42467b2673101e592a2b28638
SHA1 16d076f57b3cbdbe945c6666676823871f5c90d1
SHA256 2357e4d2007f346a3d2b3bf05115caeaf3eb069a70be654ce472be71e6f7fc75
SHA512 232e9441db8da52cd5e6f29baf5340b0540125074a7ccc9d4754762c56460b72327f89d6583a8afde71ed400433eb850e1eb2b9d5fc536d8f9c18992b83fa587

C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.cat

MD5 5551203f3f1095335ff00421b16fd7e2
SHA1 0d14402407d60952f631dffe35240de3a1f910cb
SHA256 26c54ce26cb43407855ba24d10fbb30a87e5a1a0a35536025a02cb003fe474f4
SHA512 3c31b8f60bb59e4ac3c0cda8335af1918927c51b203c8b68f2601b390ad0bc0228cb9d5566dedef05ff38cabfce46eb3d54c52cd59c828bc17dcf0b1c24a8b08

C:\Windows\System32\CatRoot2\dberr.txt

MD5 3eb628d89a0964f3ae52fdf669858ddf
SHA1 dbe4568e8c8630aa6c0734d6c4cfaf747ec148f1
SHA256 ef30df30505a58bf4a58462606a624d3a37c35bbcef4a52f8ff653ba6f1cf03c
SHA512 3d3018ddebcf35107b231f090e89a6e7560badd59542381199ebf8575c42f851948fbd9a1992240b384916d83c89ad94a46b5d3d8d57a84331bac5f35185330e

C:\Program Files\OpenVPN\bin\tapctl.exe

MD5 0fb0cc41caa43667a02d4f1273688843
SHA1 25a79c7b406c0f8b24095684de2e17cf1ab2ef0b
SHA256 ffde0fe1e6aa7332c86aadfc1c6969866c808058a40b3dd771692eb479ded225
SHA512 e2bf78ebdfc6feb7e13ec51fa10e6ffc06380dc586c39ec2ac7b7574ce39ef3f86995c7597f253ce8e2e3bef474b092baff582ece28e796ef806d86ba4d6f8d7

C:\Program Files\OpenVPN\bin\openvpn-gui.exe

MD5 4c22527190ac1ae2a0ae56d7a00796a3
SHA1 b7ced9467df11a149b5cc008cd8071745b0ba4d2
SHA256 ccb395aeb255c1b67a48d2792900e0ba50034abf6e96a63485c5e39f6e79de34
SHA512 8686c6a94daf63328609ac171753ba04acec8fe6c615bc5957de4b720e0f26af924225e6f3802dc0e489b75a2a233751c0b97a2664fb789b8c1326ae952216b1

C:\Program Files\OpenVPN\bin\openvpnserv.exe

MD5 aabbde60aaaf46b0a4b1b136170bd4cd
SHA1 ddedf294dba6db03ae164997283f23d917a1d98f
SHA256 afbd423094f6c7af9496d0185e512ab4e950b2e8ac3811f19eabe7e0e1d02123
SHA512 635a93431ab2189c616f507e0b0e3bccd44dd3c2531437e08d1281ae5384e494699de15560f9c0fb1177d9ae3d2b267618df19eed57a76d51a39054b5b16d258

C:\Program Files\OpenVPN\bin\VCRUNTIME140.dll

MD5 5797d2a762227f35cdd581ec648693a8
SHA1 e587b804db5e95833cbd2229af54c755ee0393b9
SHA256 c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA512 5c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e

C:\Program Files\OpenVPN\bin\openvpnserv2.exe

MD5 bc71317e0308cdbb60c144de84ab3c68
SHA1 01f4d0d5c856f9f283d93c7c909088e862679ec3
SHA256 d1e995a2d32e7833a369aa849e8b877162e07c1a161c6dccb95ca2052fc8b1e7
SHA512 17f2333020eb2375f79a4bcb4884662fba8129ada9de24e6d2ca51c623f0de16e6e7e5ba60a119b13474d6627b1807b466f886a414c120c5d0d85d7f71427ded

memory/2872-522-0x0000000000510000-0x000000000051A000-memory.dmp

C:\Config.Msi\e5830d2.rbs

MD5 ef29db6a56d20811b7afa1a0ed0678d6
SHA1 fb05753528e635639556c5470776c5de8fc567d9
SHA256 8c14b3f64397de5f9e5c9e8e0bc2c9e0089de9c70549ec974b05f2a068ebdec5
SHA512 3cc3ec78f4d6789ecc255d11f7364cadeb3e2123bf8a975ea4c37194cc65e373ea7b0004fcac7bc3727a249a25fd34b4cbd909ca5cc2cc6bbb9d317038da25c5

C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe

MD5 f1b44bfff7c75f0ae50129d7322f05c8
SHA1 a4713613cc3ffead0bd3debe8ee386e6fd5d3529
SHA256 d3536e997456734926d88cf7ebd0c00ef001c385c2bd9d3bece56f885d230177
SHA512 0d6f4f81ea62b805098d017d075210d1d24bb3341b674dab9af3c8feebc26a42d1180ee75a204b714e08e88e7e9f8fe01c9a472c6cfc281d6afeefb0a17f0934

memory/4352-550-0x0000000000A10000-0x00000000030B2000-memory.dmp

C:\Windows\System32\DeviceAssociationBrokerSvc_60ca11.exe

MD5 cfd60406e7a40998306f59e93bbf2be6
SHA1 6cc4279d83d77d63968af44fc8ae619941a1ff46
SHA256 3aeb15cb33fd85a5e27acb4fd3efac027e69c700fc6d38d08ea3a691e3d3a17d
SHA512 c606071f53d2ca3fb19990ced6ff119c8ca4a520d9f28c9f0bbf0b83df3334ff60f6ccc8b017206dd33dc489f1d84f7a1c88ff02b8d986f1ce9ac50ef8ba66c2

C:\Users\Public\Desktop\OpenVPN GUI.lnk

MD5 4e8cac8596620e5f4cabef61ba01475f
SHA1 11ab6fad76da5aabeaf5e5bfc1ed4c0761a9a4e9
SHA256 3730eada02a5726ec6121d477318670e19bf7554ea8a0639bc6159c5879e07e4
SHA512 a52fb496e9154fef356706280bd0adb205608fe2fcca0ba4f7ba6c8e7ba48841c4db13eea302d94bde23769af766b25dd7bcc6249f17f1bf4d03e438d1d66876

memory/3984-564-0x0000000000400000-0x0000000000D3C000-memory.dmp

memory/2236-566-0x0000000000100000-0x0000000001E49000-memory.dmp

C:\Users\Admin\.ssh\id_rsa.pub

MD5 50706a898e41d81452fc1836757a662d
SHA1 267dec7fb27ed6b7efb913cb218f0de10c0caa44
SHA256 52715eddd952ea9e3d7b3335264a213bb57177881d7782138e31608ef8c409f0
SHA512 d570cec0a1c5ba9ffd11be4ddd40d81eba6e615b7d7c2bcfff66dcebc4b3b091bb6630191201ba05741f8ab35082f753427ddcdc8b5401bc334030a5cdfc962f

\??\pipe\crashpad_2380_MSDNSPOMUNAGEFVA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2236-625-0x0000000000100000-0x0000000001E49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir2380_1966584455\948479cc-64ab-4334-8e14-8be925643646.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\scoped_dir2380_1966584455\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ad3626d88cc6859951b85562d0c7deec
SHA1 555e09cf5201abf4aa749404d67ec8c8be127930
SHA256 0630c244783528a1a129b751261857822e7229526978863061d335416c50952b
SHA512 1aa6f0ffecac2b7245a3b4a2f21e41265a9d18cff2615a6b4d4ad0ad1268bdc04110099e98b55012b9b981e4e640067fa4295a8211cd194bd4fb4c2ad2ac9b26

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 de39c72ddd5f12dd8eaf5ac9e3497698
SHA1 c03b298173bd7ec866e26fc22ceccfb9e1f972cc
SHA256 1081f2f786a2ee80e5895d3fafe1befcefb6b76fa2c6bdb795d59df9571ba564
SHA512 8efaedec7542e505b8539a3d689a8cd0881103675e4608e08904c4c5b08fd21fc5ad2a801c815b0d6c81bde3ccfc6d730e95b4eaaba7fccc9340631822a9fc88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 dbf14b88acad0aa74c204f94d1900631
SHA1 220c98b39c3161e64b3831cfb00414ac4b1c87da
SHA256 b4672665d85cfbcf894ce6aff8c35f7cb96359a44359bcbedd5fd05e3536263c
SHA512 eb6d70993f69e2bfc4a528c5e8cd7099bdde9f1b49306590f356221aa78db5f2d7d60b453a65d895a9e3def16b15b7247b4d53c4c54353f6a48e0f40659577fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c23343e0e521eb942eb7a899f60e42e9
SHA1 85466d6bd8f002239083740c3be9b1acec876d23
SHA256 d86861f40e537d77f54b160e980902918e298e6f0118adcd5e687e0ad4774167
SHA512 0598587f7adb2f40b25db00eab8541f5d70b2309b8e5bf42f90ceceaa72f8dfe01d82100e5e345e1e0dfd36dd81915aa9e84a63969ec14ca639ee4e6b3824e76

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2910eff71021a99fe4b9dbf1dc011376
SHA1 a2b819e55ffbd850ce54dcf80a7eb954c70193a4
SHA256 84545937ef94ad7fe176caf02e56bfb9cf973aa2d7391c562027f5545531b838
SHA512 664d06a2cef1458786a5ea6ceb98c79ce21fea537a7e9ebcf419435ebe59facda7b11bc3f245e29001af6dfd87fc53029d854ddd5b3099215be7c0af85ee0ab9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\ip[1].txt

MD5 e3eb2b4cff0d56624daa49116976aeb4
SHA1 234db53081db6fc733d22a896f6dac5068eb066a
SHA256 3b9efd080931e6b2d3b89e8dcd2655792329a41c4699ffade4b48288bfdb0ffd
SHA512 ab0ce3a7301fe64594408380f5d55c8ebf24b0c94527fd2b29ff83bb2a10ab57be5a9de4ef56f532b0002e921c74cae14db0cc0f86d79e49d9d14f073d65d12d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e40b4a97b60b128984e77848c9bef6eb
SHA1 2f20ec6a5cd2bd409f6d3f25a73eec4aa01647c7
SHA256 7a4967bcc7f6c017ed1fea0c7f4795d3ce3e7a129e6c3032fb932eb4b8f186fd
SHA512 0098a04e56c9cc0af97af5fe2c48dc3b5c68ca03fda5e2b5762b227554682efe09d206f02cddc43217f8c835618eecaf76b8e053dc813d31bc9cfa053f35eec3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 199cc57fef8c891aaed06893544dfa36
SHA1 36dd4ca4a5ca4a84408d192bd0f95f3c963f70b2
SHA256 cf1849300620833585234b9993fcee7e41a632edb23bdd75bd25ae4b1603a6c7
SHA512 92941eb0517d678c57f295e97a340b10712b54475af7660f3089f84847a9dfd4ba2f168bcdcb2d0734dfe057d8c2f58c3f20fa537dedae99828b353176ce42aa

memory/2236-1194-0x0000000000100000-0x0000000001E49000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 6d2a1c1844cee71d8cf18f9a9a16ea8c
SHA1 7b649e5630bb257d3fa0c7b13ffb443a4e1596f6
SHA256 1b8fc286b5cad96d5f80989cca84c700661198ee5439b308c8362c3a3f1d2775
SHA512 362e58eddf9f3b2cdb44b852171eb20cca97b6288a5a108a103afb60e4ebc66a8763336c1e4e933baaeaa3a3010b7958e78cccaf22eb90a0cd9672799bddba50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 535e51d56f374f865d9634bbb0071ea5
SHA1 0b3616bd4839cafc4664b32d6c01d7d559ca90aa
SHA256 bcbca1983532d65efc494429471b2f3d03400d829496095a16d9308a0af81015
SHA512 ac442c43db8096d2eabf2346410987a662353fe78cec945b3c057cdc524f25d05d96e280e221f9bd693ab50468f7f8fdd17e024ee7b11ad17c297d3344991bce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c5473ab97d4e3cd16b781c6b9bb81574
SHA1 d581d2197dfa7fa0e64ac7ee2cd35fa16bfdc331
SHA256 7d399b0ad3959dbc9356b6b711fd6fb597e0a71a7ee35ce4f1bc1c551c4e2b7b
SHA512 8eb1c621b843c750e07d404ca124ef149fe1a297636cc07c941010050bafa3a96f4735e3fe1309a9fa45a58ec66efc2b2ba3d33b4ddbed6f7be1e98e3fa0cc6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 03b668b8bfc4fb97d849cf943fa34c7d
SHA1 bf9686214aaa88cbac9fb9453179c77702e3bde6
SHA256 181f88a77f0f1c87d82b2119c977b687247ab1e172108866e9b8a1f1cd8d791a
SHA512 3a2537245acb4ca261fd5c7291c0560675e369c0b88571641b45ed12f2e19e5e9c9267d05ddf8ab825d75f865cff193275c46017da4f3f3de4c368123d1d10b6

memory/2236-1246-0x0000000000100000-0x0000000001E49000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 87a50dbe96662abe5a78a4e6bbba2e45
SHA1 ae769d75fc1c98a6dab52a2baceb0595e13553e9
SHA256 45d0b48261b9aff99ef5f28822ab817e780703160a30ac67f72e0d0807dc3fdf
SHA512 e9bf9b8c3ec364dd98c4d6f0ed4192e23b61e3822c6da02dc3fa79e8d6a3344e3ffe1c3fa3123b215090b3f250794ca3715cae2adbc1638fac25f6f26f4028e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1c2812b48342b2167c8663792c008440
SHA1 bb89e4f52a74b082bef6b5288a23b15577409c87
SHA256 562d7834e8b868c617b5c21ef3db0c3c769f42a882189b9f811a7e65a4efaf35
SHA512 f5a3a1c159ff935e38398816f03d127c7b76e4f0a31db0e450b12d01fcdcff88d985892e6b69f9e7459d623db7a5ae6cedc15a2ba6e622cccd6874d876e5cf9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4ee63a65ff3445b1b660ad31bb680495
SHA1 b58612783461ca79334cc368715fae63f6c4dc4c
SHA256 da17de10c3f63b786c0e98c61e334341948c97f276b5f66520747d894fc85107
SHA512 59980fd9f52f691f75f28d313d0ccfaec67bec997d4a3879e64933a725d8773ec692781d35e4cbeafd7dbbedc134d2078aa880ac2269bcb96b260ec4d61d33ca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 47e58f2217845792ea3b8d417bf7bfeb
SHA1 0d722aa4f8f0ceefd05ec91b1775c8181e96e10a
SHA256 66c540e0c245fb0f478ef979bb0df6d01679cf799f4dffd4ab2332633dd175b4
SHA512 f12fdb0e87419b42f0b6988122d85136db9da4a51b79f7596f6dadad95ff48ec0fb2e21e61e0342be5dbd60c389c070b3f5d0893d8ddf9c37572144bbaf116f0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6afe80dcec8b2d21694d5ba2f24bd2d7
SHA1 b012287e066ee492cce36ee6e14305cd61519c40
SHA256 e03e1dc93ebabcdcf95e23cbe6ffb706e5bd86af75090fa6c3bbc963940f0843
SHA512 49c7ee1cd803f0c19d78a67518f203ce45c9d70713f0d84742e3eae9ff628223a532e4fd1518d6e31d8365f74c10cec179e5d543935c53e96ca5306cdf9df30f