home

kb159569475.exe

OpenVPN Portable

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘UJWT’. The file has been seen being downloaded from utilitefact.com.
Product:
OpenVPN Portable

Version:
1.6.6.0

MD5:
02769e543d76434ca4d61d8e04343a61

SHA-1:
57c89313a731648f5b353d4812e99c2c867b951b

SHA-256:
520654e032be6258de6b96c43844bae8d0fd8eabae1378deb837ca78984b49b1

Scanner detections:
2 / 68

Status:
Clean  (2 probable false positive detections)

Explanation:
These detections are probably false positives (erroneous), the file is probably malware free.

Analysis date:
7/9/2025 5:13:28 PM UTC  (today)

Scan engine
Detection
Engine version

Qihoo 360 Security
HEUR/QVM09.0.0000.Malware.Gen
1.0.0.1120

Rising Antivirus
PE:Trojan.Kryptik!1.A32E [F]
23.00.65.16405

File size:
217 KB (222,208 bytes)

Product version:
1.6.6.0

Copyright:
Lukas Landis and contributors

Original file name:
OpenVPNPortable_1.6.6.paf.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\kb159569475.exe

File PE Metadata
Compilation timestamp:
4/7/2016 6:56:07 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:gvuEt4BKBnK5a54lXaz4N1+O5wwSCJWDR:gvSBonK5RlKW1/CDP

Entry address:
0x4C0D

Entry point:
E8, 52, 64, 00, 00, E9, 16, FE, FF, FF, 55, 8B, EC, 83, EC, 04, 89, 7D, FC, 8B, 7D, 08, 8B, 4D, 0C, C1, E9, 07, 66, 0F, EF, C0, EB, 08, 8D, A4, 24, 00, 00, 00, 00, 90, 66, 0F, 7F, 07, 66, 0F, 7F, 47, 10, 66, 0F, 7F, 47, 20, 66, 0F, 7F, 47, 30, 66, 0F, 7F, 47, 40, 66, 0F, 7F, 47, 50, 66, 0F, 7F, 47, 60, 66, 0F, 7F, 47, 70, 8D, BF, 80, 00, 00, 00, 49, 75, D0, 8B, 7D, FC, 8B, E5, 5D, C3, 55, 8B, EC, 83, EC, 10, 89, 7D, FC, 8B, 45, 08, 99, 8B, F8, 33, FA, 2B, FA, 83, E7, 0F, 33, FA, 2B, FA, 85, FF, 75, 3C, 8B...
 
[+]

Entropy:
6.7943

Code size:
76 KB (77,824 bytes)

3 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
UJWT

Command:
C:\users\{user}\appdata\local\ujwt\wininitpatcher.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
RIX

Command:
C:\users\{user}\appdata\local\rix\ntspoolsv.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AFUN

Command:
C:\users\{user}\appdata\local\afun\winskypec2cpnrsvc.exe


The file kb159569475.exe has been seen being distributed by the following URL.

http://utilitefact.com/765314.exe

Scan kb159569475.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.