Analysis Overview
SHA256
d4c371d9f2dcbf10e5431613552c9402eb2173949438616b831ebe3d9c5d46f3
Threat Level: Known bad
The file FVGSetup.bin was found to be: Known bad.
Malicious Activity Summary
LatentBot
Latentbot family
Boot or Logon Autostart Execution: Active Setup
Drops file in Drivers directory
Loads dropped DLL
Reads ssh keys stored on the system
Executes dropped EXE
Blocklisted process makes network request
Adds Run key to start application
Looks up external IP address via web service
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry class
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 18:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 18:43
Reported
2025-03-08 18:49
Platform
win10v2004-20250217-en
Max time kernel
300s
Max time network
299s
Command Line
Signatures
LatentBot
Latentbot family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\DontAsk = "2" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\StubPath = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OPENVPN-GUI /t REG_SZ /d \"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\"" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\ = "OpenVPN 2.6.12-I001 amd64" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\Version = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\IsInstalled = "1" | C:\Windows\System32\MsiExec.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\SET5918.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET5CE0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET52ED.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET5CE0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ovpn-dco.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET52ED.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\wintun.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET5918.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpnserv.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpnserv2.exe | N/A |
| N/A | N/A | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | N/A |
| N/A | N/A | C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpnserv.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpn.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpn.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpn.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpn.exe | N/A |
Reads ssh keys stored on the system
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Windows\\system32\\taskhostw.exe" | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET489D.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET489D.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET48AE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\SET5040.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F35.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\SET503E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F34.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F36.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET48AD.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\SET48AE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\SET503F.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{43270e39-8f8f-ae4c-b20e-737d47d20197}\wintun.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\SET4F36.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\OemVista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\oemvista.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF | C:\Windows\System32\MsiExec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\OpenVPN\res\ovpn.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\libcrypto-3-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\libssl-3-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\config-auto\README.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\doc\openvpn.8.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\include\tap-windows.h | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\libopenvpn_plap.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\openvpn.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\openvpn-plap-uninstall.reg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\config\README.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\doc\INSTALL-win32.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\openvpnserv2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe | N/A |
| File created | C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi | C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe | N/A |
| File created | C:\Program Files\OpenVPN\sample-config\client.ovpn | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\ssl\modules\legacy.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\log\README.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\openvpnserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\tapctl.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\license.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\sample-config\server.ovpn | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi | C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe | N/A |
| File created | C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\config\empty.ovpn | C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe | N/A |
| File created | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\openvpn-gui.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\OpenVPN\bin\openvpn-plap-install.reg | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{68900C00-D1AC-4940-B63A-CABA2BF18B17} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4B54.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\openvpn.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem5.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI673E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3479.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FCA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem3.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem4.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\e5830d3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI36DB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI39BA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\openvpn.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\e5830cf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3D4A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI526B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI66EF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI66CF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3A38.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3A78.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\tapctl_create.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3AB7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3C2F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\tapctl_create.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5830cf.msi | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe\JScriptSetScriptStateStarted = "240668984" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\EasyRSA = "\x06OpenSSL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.ovpn | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\" --command import \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers.OvpnDco = "Drivers" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.GUI = "OpenVPN" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenSSL = "\x06" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\res\\ovpn.ico,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Net\1 = "C:\\Program Files\\FreeVpnGuard\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.Service = "OpenVPN" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.Documentation = "OpenVPN" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\LastUsedSource = "n;1;C:\\Program Files\\FreeVpnGuard\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.SampleCfg = "OpenVPN" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers.Wintun = "Drivers" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\ProductIcon = "C:\\Windows\\Installer\\{68900C00-D1AC-4940-B63A-CABA2BF18B17}\\openvpn.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\ = "Import into OpenVPN-GUI" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\PackageCode = "DA5475FBCED86AC45B29ACF62891E2C1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Version = "33948849" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\ProductName = "OpenVPN 2.6.12-I001 amd64" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72\00C00986CA1D04946BA3ACABB21FB871 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.PLAP.Register = "\x06OpenVPN.Service" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN.GUI.OnLogon = "OpenVPN.GUI" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers.TAPWindows6 = "Drivers" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\PackageName = "OpenVPN-2.6.12-I001-amd64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\OpenVPN | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00C00986CA1D04946BA3ACABB21FB871\Drivers | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00C00986CA1D04946BA3ACABB21FB871\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "import" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "\"notepad.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import\command | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe | N/A |
| N/A | N/A | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | N/A |
| N/A | N/A | C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe | N/A |
| N/A | N/A | C:\Program Files\OpenVPN\bin\openvpn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FVGSetup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /i "C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi" /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding CE447D31B9ECF65DA4648FDB7C3FAFB2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding C0F6DD896AF34A224CC69B51BCB2477D E Global\MSI0000
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Windows\Temp\6c5b298024427ae09dc929e24a09eac899720625ed9544b87e3139526fa6b6c6\wintun.inf" "9" "44006a23b" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "C:\Windows\Temp\6c5b298024427ae09dc929e24a09eac899720625ed9544b87e3139526fa6b6c6"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Windows\Temp\7c447ebf4ac5de88a8a6dc8efe57bcf9e7defd1ad02da8db6410eaef156d88ba\OemVista.inf" "9" "4c96e98cb" "0000000000000150" "WinSta0\Default" "0000000000000154" "208" "C:\Windows\Temp\7c447ebf4ac5de88a8a6dc8efe57bcf9e7defd1ad02da8db6410eaef156d88ba"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf" "9" "4e1f3ffd3" "0000000000000154" "WinSta0\Default" "0000000000000138" "208" "C:\Program Files\Common Files\ovpn-dco\Win10"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:9ef34515d755ec66:Wintun.Install:0.8.0.0:wintun," "42b53aaff" "0000000000000168"
C:\Windows\System32\netsh.exe
netsh interface set interface name="Local Area Connection" newname="OpenVPN Wintun"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "ROOT\NET\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.27.0.0:root\tap0901," "433338203" "0000000000000138"
C:\Windows\System32\netsh.exe
netsh interface set interface name="Local Area Connection" newname="OpenVPN TAP-Windows6"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "ROOT\NET\0002" "C:\Windows\INF\oem5.inf" "oem5.inf:c695c3de07ba2b5d:ovpn-dco_Device:1.2.1.0:ovpn-dco," "43b135903" "000000000000017C"
C:\Windows\System32\netsh.exe
netsh interface set interface name="Local Area Connection" newname="OpenVPN Data Channel Offload"
C:\Program Files\OpenVPN\bin\openvpnserv.exe
"C:\Program Files\OpenVPN\bin\openvpnserv.exe"
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config OpenVPNService start= auto
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start OpenVPNService
C:\Program Files\OpenVPN\bin\openvpnserv2.exe
"C:\Program Files\OpenVPN\bin\openvpnserv2.exe"
C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe
"C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe"
C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe
C:\Windows\system32\DeviceAssociationBrokerSvc_60ca11.exe /INSTALL /SILENT
C:\Windows\system32\OpenSSH\ssh-keygen.exe
C:\Windows\system32\OpenSSH\ssh-keygen.exe -t rsa -b 2048 -f C:\Users\Admin\.ssh\id_rsa -q -N ""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbc94ecc40,0x7ffbc94ecc4c,0x7ffbc94ecc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1988 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2116 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2452 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3140 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3764,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4500 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4952 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5096 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5252 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5336,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3920 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5104 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3804,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3392,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3360 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3416,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5088,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5240,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4996 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4988,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4780,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4500 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5588,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5596 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5704,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5580 /prefetch:1
C:\Windows\system32\OpenSSH\ssh.exe
C:\Windows\system32\OpenSSH\ssh.exe -N -o StrictHostKeyChecking=no -L 127.0.0.1:8443:127.0.0.1:8443 [email protected]
C:\Program Files\OpenVPN\bin\openvpn.exe
"C:\Program Files\OpenVPN\bin\openvpn.exe" --config "C:\Users\Admin\AppData\Local\Temp\45-3cb5daff-117b-4f0b-9800-c76d6ae5f00b.ovpn"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5116,i,7604911780765660775,14887208793533068446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4704 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.160.111.145:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | freevpnguard.zapto.org | udp |
| NL | 45.8.144.34:389 | freevpnguard.zapto.org | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 172.217.169.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.68:443 | www.google.com | tcp |
| GB | 172.217.169.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.187.193:443 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | udp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.204.78:443 | play.google.com | udp |
| GB | 216.58.204.78:443 | play.google.com | tcp |
| GB | 216.58.204.78:443 | play.google.com | udp |
| GB | 216.58.204.78:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 2ip.io | udp |
| DE | 188.40.167.81:443 | 2ip.io | tcp |
| DE | 188.40.167.81:443 | 2ip.io | tcp |
| US | 8.8.8.8:53 | ipv6.2ip.io | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.213.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| BE | 108.177.15.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.187.227:443 | www.google.co.uk | tcp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| GB | 216.58.213.2:443 | ep1.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| GB | 142.250.200.33:443 | ep2.adtrafficquality.google | tcp |
| GB | 142.250.200.33:443 | ep2.adtrafficquality.google | tcp |
| GB | 172.217.169.68:443 | www.google.com | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | s0.2mdn.net | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.38:443 | s0.2mdn.net | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | dsum-sec.casalemedia.com | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 104.18.27.193:443 | dsum-sec.casalemedia.com | tcp |
| DE | 37.252.171.52:443 | ib.adnxs.com | tcp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | tcp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | tcp |
| GB | 142.250.180.1:443 | tpc.googlesyndication.com | udp |
| US | 104.18.27.193:443 | dsum-sec.casalemedia.com | udp |
| GB | 142.250.200.38:443 | s0.2mdn.net | udp |
| GB | 172.217.169.68:443 | www.google.com | udp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | udp |
| GB | 142.250.200.33:443 | ep2.adtrafficquality.google | udp |
| GB | 216.58.213.2:443 | ep1.adtrafficquality.google | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| NL | 45.8.144.34:22 | freevpnguard.zapto.org | tcp |
| US | 8.8.8.8:53 | ade.googlesyndication.com | udp |
| GB | 172.217.16.226:443 | ade.googlesyndication.com | tcp |
| GB | 172.217.16.226:443 | ade.googlesyndication.com | udp |
| GB | 172.217.16.226:443 | ade.googlesyndication.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | e2c69.gcp.gvt2.com | udp |
| CA | 34.0.38.213:443 | e2c69.gcp.gvt2.com | tcp |
| GB | 172.217.16.226:443 | ade.googlesyndication.com | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| GB | 216.58.213.3:443 | beacons.gvt2.com | tcp |
| US | 8.8.8.8:53 | e2c71.gcp.gvt2.com | udp |
| ES | 34.175.83.78:443 | e2c71.gcp.gvt2.com | tcp |
Files
memory/4352-0-0x00000286799E0000-0x00000286799E1000-memory.dmp
memory/4352-2-0x00000286799E0000-0x00000286799E1000-memory.dmp
memory/4352-1-0x0000000000A10000-0x00000000030B2000-memory.dmp
memory/4352-3-0x0000000000A10000-0x00000000030B2000-memory.dmp
C:\Program Files\FreeVpnGuard\OpenVPN-2.6.12-I001-amd64.msi
| MD5 | 635b9d9d72f6e455f35365801fb4b040 |
| SHA1 | a9df3d98eecfca7372c03fee38d530f5b7aebcf8 |
| SHA256 | 525759fe9e52a77a7d2cad99f5af1923d7d3027cab775ccfb7469ce0fd2b1758 |
| SHA512 | 4321f84f138845d02b0ff3c19d1fd307d5ac0eaea6721ea3d706661be41cfd292d7ad5905fd4a46ab029f9fa8c9a63096d7e1ca56eb8de1e1d161e45c055f633 |
C:\Windows\Installer\MSI3479.tmp
| MD5 | f97794a736b3c59ced7c005806fe9000 |
| SHA1 | 18238e0df4a6a9ed3783449f4d9db0774c5de86a |
| SHA256 | 3f591a709e24a1d95fe81cbb7efe336e91a92299a95fdbda91addf9aa0763030 |
| SHA512 | 6a89c856a0327601a3ad3d837b509c11359d1fc9b28181eac862e1df59aabb91261911e2e8f300a8482890c5bb6f8591cdd2ca0b6a3be7827d4c57ff225b86b5 |
C:\Windows\Installer\MSI3A38.tmp
| MD5 | 2232c07e354364e0eb1dc80024593826 |
| SHA1 | 65bb4232c0416cfb2c158bfc32a7732ad72cee72 |
| SHA256 | fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f |
| SHA512 | f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572 |
C:\Windows\Installer\MSI3A78.tmp
| MD5 | 718222e232d11298dfbabbc2b70d8b14 |
| SHA1 | 89fc560692111c2245694867b8772fd8969f46d2 |
| SHA256 | 45e855461f5d1be28a2f88416603070bd1778055abdd06834ae58e97b7ddf53c |
| SHA512 | 9191961c28a7a4647ae8f9f9e1956d60b97f5f5c3e4e838d888bf78c1ea665e98e8e3c75cc1247a68a89b2413493ea6d39dbc60827eec919ddba0536d793c801 |
C:\Windows\Installer\MSI3AB7.tmp
| MD5 | 84a1cc9540d5cdad74bc54f8090dd27a |
| SHA1 | c6f82d1491015457785ae0d365e7196d693d9a6b |
| SHA256 | 2738720da0b6ce474ca6eb51a92372d047eca2d713c256f0cd6c147ac3a0db21 |
| SHA512 | 9c25d6e7331844d01d732ac923e99c68f305749d92407c873cd09b451e59a8864001e308864fda319fa4a2bcae9dbe50682201c67901dce14272291dedecd2c8 |
memory/4352-156-0x0000000000A10000-0x00000000030B2000-memory.dmp
C:\Windows\Temp\6c5b298024427ae09dc929e24a09eac899720625ed9544b87e3139526fa6b6c6\wintun.inf
| MD5 | 8480579050970b0812cc3d9a1bce1340 |
| SHA1 | edebebd090602f4eee375ad754c8566d4fda23cb |
| SHA256 | 44098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b |
| SHA512 | 46de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933 |
C:\Windows\Temp\6C5B29~1\wintun.cat
| MD5 | faba2ccb8fe366fd281ca6be6d2bb7c2 |
| SHA1 | bb7bd32a21f3eba652fde24146387ffc5278143e |
| SHA256 | 602187e5470ddbdf9421045bb0515f358c88bf88f59fd8a886fb6373da5d0f82 |
| SHA512 | ec424a545e2598f299706499dab07b4d12b0734a52f928216a53bca2b7f384b97bd4fc092d7d68de636a75daf79ac392c4b49b7251ec011236de1659253d6214 |
C:\Windows\Temp\6C5B29~1\wintun.sys
| MD5 | 1945d7d1f56b67ae1cad6ffe13a01985 |
| SHA1 | 2c1a369f9e12e5c6549439e60dd6c728bf1bffde |
| SHA256 | eb58bf00df7b4f98334178e75df3348c609ea5c6c74cf7f185f363aa23976c8b |
| SHA512 | 09af87898528eaa657d46c79b7c4ebc0e415478a421b0b97355294c059878178eb32e172979ee9b7c59126861d51a5831e337a96666c43c96cb1cf8f11bc0a0f |
C:\Windows\Temp\7c447ebf4ac5de88a8a6dc8efe57bcf9e7defd1ad02da8db6410eaef156d88ba\OemVista.inf
| MD5 | 6f5ffb58a9e406ab1643c890e2a198c6 |
| SHA1 | 3ff1faba00ac18a93e88a6f2bbfa747c9fdc7e0c |
| SHA256 | 1327ab3a8c50691f04bea8e2ca356c5b604092a719e219464f8cc4b42e192de9 |
| SHA512 | af29bc13cc02238208c51e4e95dd0a4445a952755635a9eab38aa77a5c087cc8e2025af55d8f3a0e9f2430baa91534e7f892bb71aa0ef72bab4483211a845b4b |
C:\Windows\System32\DriverStore\Temp\{65d429e7-c15d-3b41-9ab8-3aa0c7ed6034}\tap0901.cat
| MD5 | 71ecece58bb00bdc1e728ee28d7a5332 |
| SHA1 | 4305889415cf95662a30d024f1138f1af224cf42 |
| SHA256 | ee062e5ef2743ceab10c64830e4cefe52e35cc1ece85947ac4e61ddd1c0b05f7 |
| SHA512 | 9b23404d867fc4fd7c7beeba3768e8fed3113cc7430ec1bc9ca7faf6e6105388de7057b1402f9b4ba8fbc11e5fcd3afe14233721e8d15b6c0bed40f65aa5b58b |
C:\Windows\Temp\7C447E~1\tap0901.sys
| MD5 | 1bb9772a05517e227d1dafd3936e8f66 |
| SHA1 | d695ca5791a4b6a3509939aebdfaf5e229c6fbcf |
| SHA256 | 581dcaace05d5c1ac9512457ff50565aca5d904d2c209bd3fc369ca4d4a0d2b1 |
| SHA512 | 3f1966038f91b887fe1a71474929bd87f3c75091846c6e9563f7424d3a7c19c908f1d874895341c61a868a616aba637e3d4188d4ebb7383087886a13a4dc0aa2 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | be209ba860598d787a508a735f90a57b |
| SHA1 | e0b63973643f8423c7dc5eb5a41d224349abd359 |
| SHA256 | 73286e10fe3420d18872ec0fdb1045c1d4e535682b05218400c0f045390d313d |
| SHA512 | 7838990cefa0e55379397e3a3f760bd2ed835a2ce447afa7d757450587df45ef0734be17736474ceb89da479f7899cc88cf3d3ba8395bc62abc79ea6f22c3222 |
C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf
| MD5 | 77da079a3665afc84d05c3d07bcaa0d0 |
| SHA1 | 3fbfafe2c08100f5b46b792398c2ecb9157760e9 |
| SHA256 | 1f6c35bc11d910f91c32ea54894d0fddb0094876bdd526d04a9287d04d636242 |
| SHA512 | 10fcd8464c6aab386bf2f675175598764e0b784a898b7b450fef3d055ecf902c7a57ac0aef2725b9e6899146e4e9230c8677bfd2a8f18489b642fa6beca25507 |
C:\PROGRA~1\COMMON~1\ovpn-dco\Win10\ovpn-dco.sys
| MD5 | 5e69b6c42467b2673101e592a2b28638 |
| SHA1 | 16d076f57b3cbdbe945c6666676823871f5c90d1 |
| SHA256 | 2357e4d2007f346a3d2b3bf05115caeaf3eb069a70be654ce472be71e6f7fc75 |
| SHA512 | 232e9441db8da52cd5e6f29baf5340b0540125074a7ccc9d4754762c56460b72327f89d6583a8afde71ed400433eb850e1eb2b9d5fc536d8f9c18992b83fa587 |
C:\Windows\System32\DriverStore\Temp\{4f8615c9-ddeb-e149-b127-fb6956f1825e}\ovpn-dco.cat
| MD5 | 5551203f3f1095335ff00421b16fd7e2 |
| SHA1 | 0d14402407d60952f631dffe35240de3a1f910cb |
| SHA256 | 26c54ce26cb43407855ba24d10fbb30a87e5a1a0a35536025a02cb003fe474f4 |
| SHA512 | 3c31b8f60bb59e4ac3c0cda8335af1918927c51b203c8b68f2601b390ad0bc0228cb9d5566dedef05ff38cabfce46eb3d54c52cd59c828bc17dcf0b1c24a8b08 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 3eb628d89a0964f3ae52fdf669858ddf |
| SHA1 | dbe4568e8c8630aa6c0734d6c4cfaf747ec148f1 |
| SHA256 | ef30df30505a58bf4a58462606a624d3a37c35bbcef4a52f8ff653ba6f1cf03c |
| SHA512 | 3d3018ddebcf35107b231f090e89a6e7560badd59542381199ebf8575c42f851948fbd9a1992240b384916d83c89ad94a46b5d3d8d57a84331bac5f35185330e |
C:\Program Files\OpenVPN\bin\tapctl.exe
| MD5 | 0fb0cc41caa43667a02d4f1273688843 |
| SHA1 | 25a79c7b406c0f8b24095684de2e17cf1ab2ef0b |
| SHA256 | ffde0fe1e6aa7332c86aadfc1c6969866c808058a40b3dd771692eb479ded225 |
| SHA512 | e2bf78ebdfc6feb7e13ec51fa10e6ffc06380dc586c39ec2ac7b7574ce39ef3f86995c7597f253ce8e2e3bef474b092baff582ece28e796ef806d86ba4d6f8d7 |
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
| MD5 | 4c22527190ac1ae2a0ae56d7a00796a3 |
| SHA1 | b7ced9467df11a149b5cc008cd8071745b0ba4d2 |
| SHA256 | ccb395aeb255c1b67a48d2792900e0ba50034abf6e96a63485c5e39f6e79de34 |
| SHA512 | 8686c6a94daf63328609ac171753ba04acec8fe6c615bc5957de4b720e0f26af924225e6f3802dc0e489b75a2a233751c0b97a2664fb789b8c1326ae952216b1 |
C:\Program Files\OpenVPN\bin\openvpnserv.exe
| MD5 | aabbde60aaaf46b0a4b1b136170bd4cd |
| SHA1 | ddedf294dba6db03ae164997283f23d917a1d98f |
| SHA256 | afbd423094f6c7af9496d0185e512ab4e950b2e8ac3811f19eabe7e0e1d02123 |
| SHA512 | 635a93431ab2189c616f507e0b0e3bccd44dd3c2531437e08d1281ae5384e494699de15560f9c0fb1177d9ae3d2b267618df19eed57a76d51a39054b5b16d258 |
C:\Program Files\OpenVPN\bin\VCRUNTIME140.dll
| MD5 | 5797d2a762227f35cdd581ec648693a8 |
| SHA1 | e587b804db5e95833cbd2229af54c755ee0393b9 |
| SHA256 | c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7 |
| SHA512 | 5c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e |
C:\Program Files\OpenVPN\bin\openvpnserv2.exe
| MD5 | bc71317e0308cdbb60c144de84ab3c68 |
| SHA1 | 01f4d0d5c856f9f283d93c7c909088e862679ec3 |
| SHA256 | d1e995a2d32e7833a369aa849e8b877162e07c1a161c6dccb95ca2052fc8b1e7 |
| SHA512 | 17f2333020eb2375f79a4bcb4884662fba8129ada9de24e6d2ca51c623f0de16e6e7e5ba60a119b13474d6627b1807b466f886a414c120c5d0d85d7f71427ded |
memory/2872-522-0x0000000000510000-0x000000000051A000-memory.dmp
C:\Config.Msi\e5830d2.rbs
| MD5 | ef29db6a56d20811b7afa1a0ed0678d6 |
| SHA1 | fb05753528e635639556c5470776c5de8fc567d9 |
| SHA256 | 8c14b3f64397de5f9e5c9e8e0bc2c9e0089de9c70549ec974b05f2a068ebdec5 |
| SHA512 | 3cc3ec78f4d6789ecc255d11f7364cadeb3e2123bf8a975ea4c37194cc65e373ea7b0004fcac7bc3727a249a25fd34b4cbd909ca5cc2cc6bbb9d317038da25c5 |
C:\Program Files\FreeVpnGuard\Free-VPN-Guard.exe
| MD5 | f1b44bfff7c75f0ae50129d7322f05c8 |
| SHA1 | a4713613cc3ffead0bd3debe8ee386e6fd5d3529 |
| SHA256 | d3536e997456734926d88cf7ebd0c00ef001c385c2bd9d3bece56f885d230177 |
| SHA512 | 0d6f4f81ea62b805098d017d075210d1d24bb3341b674dab9af3c8feebc26a42d1180ee75a204b714e08e88e7e9f8fe01c9a472c6cfc281d6afeefb0a17f0934 |
memory/4352-550-0x0000000000A10000-0x00000000030B2000-memory.dmp
C:\Windows\System32\DeviceAssociationBrokerSvc_60ca11.exe
| MD5 | cfd60406e7a40998306f59e93bbf2be6 |
| SHA1 | 6cc4279d83d77d63968af44fc8ae619941a1ff46 |
| SHA256 | 3aeb15cb33fd85a5e27acb4fd3efac027e69c700fc6d38d08ea3a691e3d3a17d |
| SHA512 | c606071f53d2ca3fb19990ced6ff119c8ca4a520d9f28c9f0bbf0b83df3334ff60f6ccc8b017206dd33dc489f1d84f7a1c88ff02b8d986f1ce9ac50ef8ba66c2 |
C:\Users\Public\Desktop\OpenVPN GUI.lnk
| MD5 | 4e8cac8596620e5f4cabef61ba01475f |
| SHA1 | 11ab6fad76da5aabeaf5e5bfc1ed4c0761a9a4e9 |
| SHA256 | 3730eada02a5726ec6121d477318670e19bf7554ea8a0639bc6159c5879e07e4 |
| SHA512 | a52fb496e9154fef356706280bd0adb205608fe2fcca0ba4f7ba6c8e7ba48841c4db13eea302d94bde23769af766b25dd7bcc6249f17f1bf4d03e438d1d66876 |
memory/3984-564-0x0000000000400000-0x0000000000D3C000-memory.dmp
memory/2236-566-0x0000000000100000-0x0000000001E49000-memory.dmp
C:\Users\Admin\.ssh\id_rsa.pub
| MD5 | 50706a898e41d81452fc1836757a662d |
| SHA1 | 267dec7fb27ed6b7efb913cb218f0de10c0caa44 |
| SHA256 | 52715eddd952ea9e3d7b3335264a213bb57177881d7782138e31608ef8c409f0 |
| SHA512 | d570cec0a1c5ba9ffd11be4ddd40d81eba6e615b7d7c2bcfff66dcebc4b3b091bb6630191201ba05741f8ab35082f753427ddcdc8b5401bc334030a5cdfc962f |
\??\pipe\crashpad_2380_MSDNSPOMUNAGEFVA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/2236-625-0x0000000000100000-0x0000000001E49000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir2380_1966584455\948479cc-64ab-4334-8e14-8be925643646.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir2380_1966584455\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ad3626d88cc6859951b85562d0c7deec |
| SHA1 | 555e09cf5201abf4aa749404d67ec8c8be127930 |
| SHA256 | 0630c244783528a1a129b751261857822e7229526978863061d335416c50952b |
| SHA512 | 1aa6f0ffecac2b7245a3b4a2f21e41265a9d18cff2615a6b4d4ad0ad1268bdc04110099e98b55012b9b981e4e640067fa4295a8211cd194bd4fb4c2ad2ac9b26 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | de39c72ddd5f12dd8eaf5ac9e3497698 |
| SHA1 | c03b298173bd7ec866e26fc22ceccfb9e1f972cc |
| SHA256 | 1081f2f786a2ee80e5895d3fafe1befcefb6b76fa2c6bdb795d59df9571ba564 |
| SHA512 | 8efaedec7542e505b8539a3d689a8cd0881103675e4608e08904c4c5b08fd21fc5ad2a801c815b0d6c81bde3ccfc6d730e95b4eaaba7fccc9340631822a9fc88 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | dbf14b88acad0aa74c204f94d1900631 |
| SHA1 | 220c98b39c3161e64b3831cfb00414ac4b1c87da |
| SHA256 | b4672665d85cfbcf894ce6aff8c35f7cb96359a44359bcbedd5fd05e3536263c |
| SHA512 | eb6d70993f69e2bfc4a528c5e8cd7099bdde9f1b49306590f356221aa78db5f2d7d60b453a65d895a9e3def16b15b7247b4d53c4c54353f6a48e0f40659577fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c23343e0e521eb942eb7a899f60e42e9 |
| SHA1 | 85466d6bd8f002239083740c3be9b1acec876d23 |
| SHA256 | d86861f40e537d77f54b160e980902918e298e6f0118adcd5e687e0ad4774167 |
| SHA512 | 0598587f7adb2f40b25db00eab8541f5d70b2309b8e5bf42f90ceceaa72f8dfe01d82100e5e345e1e0dfd36dd81915aa9e84a63969ec14ca639ee4e6b3824e76 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 2910eff71021a99fe4b9dbf1dc011376 |
| SHA1 | a2b819e55ffbd850ce54dcf80a7eb954c70193a4 |
| SHA256 | 84545937ef94ad7fe176caf02e56bfb9cf973aa2d7391c562027f5545531b838 |
| SHA512 | 664d06a2cef1458786a5ea6ceb98c79ce21fea537a7e9ebcf419435ebe59facda7b11bc3f245e29001af6dfd87fc53029d854ddd5b3099215be7c0af85ee0ab9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\ip[1].txt
| MD5 | e3eb2b4cff0d56624daa49116976aeb4 |
| SHA1 | 234db53081db6fc733d22a896f6dac5068eb066a |
| SHA256 | 3b9efd080931e6b2d3b89e8dcd2655792329a41c4699ffade4b48288bfdb0ffd |
| SHA512 | ab0ce3a7301fe64594408380f5d55c8ebf24b0c94527fd2b29ff83bb2a10ab57be5a9de4ef56f532b0002e921c74cae14db0cc0f86d79e49d9d14f073d65d12d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e40b4a97b60b128984e77848c9bef6eb |
| SHA1 | 2f20ec6a5cd2bd409f6d3f25a73eec4aa01647c7 |
| SHA256 | 7a4967bcc7f6c017ed1fea0c7f4795d3ce3e7a129e6c3032fb932eb4b8f186fd |
| SHA512 | 0098a04e56c9cc0af97af5fe2c48dc3b5c68ca03fda5e2b5762b227554682efe09d206f02cddc43217f8c835618eecaf76b8e053dc813d31bc9cfa053f35eec3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 199cc57fef8c891aaed06893544dfa36 |
| SHA1 | 36dd4ca4a5ca4a84408d192bd0f95f3c963f70b2 |
| SHA256 | cf1849300620833585234b9993fcee7e41a632edb23bdd75bd25ae4b1603a6c7 |
| SHA512 | 92941eb0517d678c57f295e97a340b10712b54475af7660f3089f84847a9dfd4ba2f168bcdcb2d0734dfe057d8c2f58c3f20fa537dedae99828b353176ce42aa |
memory/2236-1194-0x0000000000100000-0x0000000001E49000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 6d2a1c1844cee71d8cf18f9a9a16ea8c |
| SHA1 | 7b649e5630bb257d3fa0c7b13ffb443a4e1596f6 |
| SHA256 | 1b8fc286b5cad96d5f80989cca84c700661198ee5439b308c8362c3a3f1d2775 |
| SHA512 | 362e58eddf9f3b2cdb44b852171eb20cca97b6288a5a108a103afb60e4ebc66a8763336c1e4e933baaeaa3a3010b7958e78cccaf22eb90a0cd9672799bddba50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 535e51d56f374f865d9634bbb0071ea5 |
| SHA1 | 0b3616bd4839cafc4664b32d6c01d7d559ca90aa |
| SHA256 | bcbca1983532d65efc494429471b2f3d03400d829496095a16d9308a0af81015 |
| SHA512 | ac442c43db8096d2eabf2346410987a662353fe78cec945b3c057cdc524f25d05d96e280e221f9bd693ab50468f7f8fdd17e024ee7b11ad17c297d3344991bce |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c5473ab97d4e3cd16b781c6b9bb81574 |
| SHA1 | d581d2197dfa7fa0e64ac7ee2cd35fa16bfdc331 |
| SHA256 | 7d399b0ad3959dbc9356b6b711fd6fb597e0a71a7ee35ce4f1bc1c551c4e2b7b |
| SHA512 | 8eb1c621b843c750e07d404ca124ef149fe1a297636cc07c941010050bafa3a96f4735e3fe1309a9fa45a58ec66efc2b2ba3d33b4ddbed6f7be1e98e3fa0cc6a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 03b668b8bfc4fb97d849cf943fa34c7d |
| SHA1 | bf9686214aaa88cbac9fb9453179c77702e3bde6 |
| SHA256 | 181f88a77f0f1c87d82b2119c977b687247ab1e172108866e9b8a1f1cd8d791a |
| SHA512 | 3a2537245acb4ca261fd5c7291c0560675e369c0b88571641b45ed12f2e19e5e9c9267d05ddf8ab825d75f865cff193275c46017da4f3f3de4c368123d1d10b6 |
memory/2236-1246-0x0000000000100000-0x0000000001E49000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 87a50dbe96662abe5a78a4e6bbba2e45 |
| SHA1 | ae769d75fc1c98a6dab52a2baceb0595e13553e9 |
| SHA256 | 45d0b48261b9aff99ef5f28822ab817e780703160a30ac67f72e0d0807dc3fdf |
| SHA512 | e9bf9b8c3ec364dd98c4d6f0ed4192e23b61e3822c6da02dc3fa79e8d6a3344e3ffe1c3fa3123b215090b3f250794ca3715cae2adbc1638fac25f6f26f4028e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 1c2812b48342b2167c8663792c008440 |
| SHA1 | bb89e4f52a74b082bef6b5288a23b15577409c87 |
| SHA256 | 562d7834e8b868c617b5c21ef3db0c3c769f42a882189b9f811a7e65a4efaf35 |
| SHA512 | f5a3a1c159ff935e38398816f03d127c7b76e4f0a31db0e450b12d01fcdcff88d985892e6b69f9e7459d623db7a5ae6cedc15a2ba6e622cccd6874d876e5cf9b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4ee63a65ff3445b1b660ad31bb680495 |
| SHA1 | b58612783461ca79334cc368715fae63f6c4dc4c |
| SHA256 | da17de10c3f63b786c0e98c61e334341948c97f276b5f66520747d894fc85107 |
| SHA512 | 59980fd9f52f691f75f28d313d0ccfaec67bec997d4a3879e64933a725d8773ec692781d35e4cbeafd7dbbedc134d2078aa880ac2269bcb96b260ec4d61d33ca |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 47e58f2217845792ea3b8d417bf7bfeb |
| SHA1 | 0d722aa4f8f0ceefd05ec91b1775c8181e96e10a |
| SHA256 | 66c540e0c245fb0f478ef979bb0df6d01679cf799f4dffd4ab2332633dd175b4 |
| SHA512 | f12fdb0e87419b42f0b6988122d85136db9da4a51b79f7596f6dadad95ff48ec0fb2e21e61e0342be5dbd60c389c070b3f5d0893d8ddf9c37572144bbaf116f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6afe80dcec8b2d21694d5ba2f24bd2d7 |
| SHA1 | b012287e066ee492cce36ee6e14305cd61519c40 |
| SHA256 | e03e1dc93ebabcdcf95e23cbe6ffb706e5bd86af75090fa6c3bbc963940f0843 |
| SHA512 | 49c7ee1cd803f0c19d78a67518f203ce45c9d70713f0d84742e3eae9ff628223a532e4fd1518d6e31d8365f74c10cec179e5d543935c53e96ca5306cdf9df30f |