10647efd97707c2a8e1a75437e80d44950f3cbb9bae87b2c6bcc50cee02ff272

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
25-02-2021 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

veraport-g3-x64.exe
Size

6.5MB
MD5

9d7340464cc05a959f51bb8fd74c5dee
SHA1

249e3d40962183c154647d2c1d1d444589895584
SHA256

10647efd97707c2a8e1a75437e80d44950f3cbb9bae87b2c6bcc50cee02ff272
SHA512

d23628df67eed460227e8f3fb63ebb8996003b118171c78145ba43c73b49c25a2592c10aaa672e965ac0df9a25ea68f5781cc4a50dc112117c4b8d750f9b3085

Score

10^/10

discovery evasion persistence spyware

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 23 IoCs

Processes:

veraport-g3-x64.tmpveraport20unloader.exeveraport20unloader.exewizveraregsvr.exewizcertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.execertutil.exewpmsvcsetup.exewpmsvcsetup.tmpWizSvcUtil.exewpmsvc.exewpmsvc.exeveraport-x64.exe

pid	process
1444	veraport-g3-x64.tmp
1704	veraport20unloader.exe
368	veraport20unloader.exe
1648	wizveraregsvr.exe
564	wizcertutil.exe
664	certutil.exe
1800	certutil.exe
1016	certutil.exe
1704	certutil.exe
1076	certutil.exe
964	certutil.exe
1064	certutil.exe
440	certutil.exe
1648	certutil.exe
696	certutil.exe
1512	certutil.exe
1112	certutil.exe
1720	wpmsvcsetup.exe
1904	wpmsvcsetup.tmp
1892	WizSvcUtil.exe
976	wpmsvc.exe
1716	wpmsvc.exe
552	veraport-x64.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wpmsvc.exeWizSvcUtil.exewpmsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wpmsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WizSvcUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WizSvcUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wpmsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wpmsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wpmsvc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

WizSvcUtil.exewpmsvc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	WizSvcUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	wpmsvc.exe

Loads dropped DLL 64 IoCs

Processes:

veraport-g3-x64.exeveraport-g3-x64.tmpregsvr32.exewizveraregsvr.exewizcertutil.execertutil.execertutil.execertutil.execertutil.exe

pid	process
1072	veraport-g3-x64.exe
1444	veraport-g3-x64.tmp
1444	veraport-g3-x64.tmp
1444	veraport-g3-x64.tmp
1444	veraport-g3-x64.tmp
916	regsvr32.exe
1444	veraport-g3-x64.tmp
628
1648	wizveraregsvr.exe
1444	veraport-g3-x64.tmp
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
664	certutil.exe
664	certutil.exe
664	certutil.exe
664	certutil.exe
664	certutil.exe
664	certutil.exe
664	certutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
1800	certutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
1016	certutil.exe
1016	certutil.exe
1016	certutil.exe
1016	certutil.exe
1016	certutil.exe
1016	certutil.exe
1016	certutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
1704	certutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

veraport-g3-x64.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	veraport-g3-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wizvera-veraport-x64 = "\"C:\\Program Files\\Wizvera\\Veraport20\\veraport-x64.exe\" wizvera-veraport://exec/x86/16105/"	veraport-g3-x64.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

wpmsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	wpmsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	wpmsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	wpmsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	wpmsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

WizSvcUtil.exewpmsvc.exewpmsvc.exe

pid process

1892 WizSvcUtil.exe
976 wpmsvc.exe
1716 wpmsvc.exe

pid	process
1892	WizSvcUtil.exe
976	wpmsvc.exe
1716	wpmsvc.exe

Drops file in Program Files directory 14 IoCs

Processes:

veraport-g3-x64.tmpwpmsvcsetup.tmp

description	ioc	process
File created	C:\Program Files\Wizvera\Veraport20\unins000.dat	veraport-g3-x64.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-U0TIO.tmp	veraport-g3-x64.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-VCP5S.tmp	veraport-g3-x64.tmp
File created	C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-D5S41.tmp	wpmsvcsetup.tmp
File created	C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-UHSJ5.tmp	wpmsvcsetup.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-91CRC.tmp	veraport-g3-x64.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-I59N9.tmp	veraport-g3-x64.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-JOA7A.tmp	veraport-g3-x64.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-UPUMI.tmp	veraport-g3-x64.tmp
File created	C:\Program Files\Wizvera\Veraport20\is-J2LT3.tmp	veraport-g3-x64.tmp
File created	C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-H28LL.tmp	wpmsvcsetup.tmp
File opened for modification	C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.dat	wpmsvcsetup.tmp
File opened for modification	C:\Program Files\Wizvera\Veraport20\unins000.dat	veraport-g3-x64.tmp
File created	C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.dat	wpmsvcsetup.tmp

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

Processes:

wpmsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	wpmsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	wpmsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	wpmsvc.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exewizveraregsvr.exeveraport-g3-x64.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\InprocServer32\ = "C:\\Program Files\\Wizvera\\Veraport20\\veraport20.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ToolboxBitmap32\ = "C:\\Program Files\\Wizvera\\Veraport20\\veraport20.dll, 103"	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D913D1E4-A4B3-4826-A81E-C4CE32FACFDE}\ = "IVeraport20Ctl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ProgID\ = "veraport20.Veraport20Ctl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\veraport20.Veraport20Ctl\ = "Veraport20Ctl Class"	wizveraregsvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\VersionIndependentProgID	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wizvera-veraport-x64	veraport-g3-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\VersionIndependentProgID\ = "veraport20.Veraport20Ctl"	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\TypeLib\ = "{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}"	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ToolboxBitmap32\ = "C:\\Program Files\\Wizvera\\Veraport20\\veraport20.dll, 103"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D913D1E4-A4B3-4826-A81E-C4CE32FACFDE}\ = "IVeraport20Ctl"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	wizveraregsvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\MiscStatus	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ToolboxBitmap32	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\veraport20.Veraport20Ctl.1\CLSID\ = "{477D5B9A-6479-44F8-9718-9340119B0308}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\LocalizedString = "@C:\\Program Files\\Wizvera\\Veraport20\\veraport20.dll,-101"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\veraport20.Veraport20Ctl\CurVer\ = "veraport20.Veraport20Ctl.1"	wizveraregsvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ProgID	wizveraregsvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ToolboxBitmap32	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Programmable	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\InprocServer32\ = "C:\\Program Files\\Wizvera\\Veraport20\\veraport20.dll"	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}\1.0\0\win64	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\MiscStatus\1	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ = "Veraport20Ctl Class"	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ProgID\ = "veraport20.Veraport20Ctl.1"	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\TypeLib	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D913D1E4-A4B3-4826-A81E-C4CE32FACFDE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Version	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\VersionIndependentProgID\ = "veraport20.Veraport20Ctl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\TypeLib	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\VersionIndependentProgID	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wizvera-veraport-x64\DefaultIcon = "veraport.exe,1"	veraport-g3-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D913D1E4-A4B3-4826-A81E-C4CE32FACFDE}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	wizveraregsvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Implemented Categories	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wizvera-veraport-x64\shell	veraport-g3-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}\1.0\0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Control	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\ProgID	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\Programmable	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\TypeLib\ = "{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308}\InprocServer32	wizveraregsvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}\1.0\HELPDIR\ = "C:\\Program Files\\Wizvera\\Veraport20"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	wizveraregsvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9D3F26-BCA4-413A-A265-D8371C2CFEB8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\veraport20.Veraport20Ctl\ = "Veraport20Ctl Class"	regsvr32.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wpmsvc.exewizcertutil.exeveraport-x64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9DE8690DAECF18B1A4ACD2B7CEE9B35FBBA2DDC4\Blob = 0f0000000100000020000000305d8552cda90543300c4b19400d9f469a9000f0a13d21c167734e20b17fa2c50300000001000000140000009de8690daecf18b1a4acd2b7cee9b35fbba2ddc4200000000100000057030000308203533082023ba003020102021420bbeb748527aeaa25fb381926de8dc207102b71300d06092a864886f70d01010b05003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484132301e170d3139313032333033303430385a170d3430303530353033303430385a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413230820122300d06092a864886f70d01010105000382010f003082010a0282010100f3da060f38568f5a6d95f2eba256cf4cdbba97fd6604e73aefc899187c2dd8d1f1c0fa8f8c4fc69a05afe6e4b7964f61c3b67b76f5d2ff73f9d7a013cab9160a94e6442f14cd79e8ae208288745c0f63280c756dcf23d381bad6ee6c17fc04ef5132516dd7274132b87dafb519e16338aaffddda20848430eece2f4ce7b877f16738404db86cf2b1ddeded08388f90e6507261b8f07669b17fe2b5f7971411ad07017541ea53a4e6fd28bf822e4a66855afb87c070b8d1ee1ff90dec14aa462fedb5b17439ca7a9b90221ed54c66f4d8e217acb686b3f5f0306538e8ace848185ccae2f82838d7fa35813de7d32af420a9f540e1645de795c98b77db8c6f42670203010001a3533051301d0603551d0e0416041455e94876be082d97c6565a550ba7b4104b14f6a2301f0603551d2304183016801455e94876be082d97c6565a550ba7b4104b14f6a2300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100422038356b429ed7b115c75c6c6eb16362c0f6f9747d772e4e4b2ec23d61c1750bf0b58210b6006198f0669505871a5f04078c3a35f90aafc4d3926638d8589c2c413b944846947c49935022990b0631f3735649bfca8253bc5858b298320fe2aa363d6be9f878f888a3e416a13abfb57d54d9392e4e778e71559e36ef5a918a156be2a6c868fc7b9afd9f7851a7faeedc882a39886502b623daacaa50165ed964f323184e6c982b79c5dd915a5df5ad3d260a65011a3cc3ddc28fe8d3bd38608daed8218d6002ef9a53a53c70bd2a75509847d78e4b33e7a1d048dd844651e191d563b95d3fbea0fc1c3ff1f28508c85f1c846d773ecc9feeeed6e9e47f37b5	wpmsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\04C604DDC5D3D37B389D086FFF0DEAE0FD9F52A0	wpmsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\04C604DDC5D3D37B389D086FFF0DEAE0FD9F52A0\Blob = 0f0000000100000014000000ed29bda8c145d03315d8492c6159cd508c36a08003000000010000001400000004c604ddc5d3d37b389d086fff0deae0fd9f52a0200000000100000057030000308203533082023ba003020102021474b7009ee43bc78fce6973ade1da8b18c5e8725a300d06092a864886f70d01010505003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484131301e170d3139313032333033303533335a170d3430303530353033303533335a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c27feb98a564b360a80aaa5b9fe67416af79858286a82f1f61355b1435df90f9a6f7da8700c3188a702eac88c4ea781d468c34ba4150877b0c975f12d6b24fbd36b9296460bb6aa8e01d983c9e4bafda06db4fe05ddbf067fab1cc6a26c93f009fe347924a04da2a3e3878061b5466031afcdcae5ce040afb2be5980adb61da7537df90eb5d2d1809e0c5fc97d64656526ebece124fa927886fcc8653b3a205d639914506c2918f2a73a5e378687a850e5437698ce72d3b880d2e27b9412fa84bd77a4f2216ddc795288319eec534651ad2386cf81c818ecaeadaabfad971c223c435ac15ba3aff4e082be65a5b36be8e9321bba67175ee4ef9da9f08612243f0203010001a3533051301d0603551d0e041604141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21301f0603551d230418301680141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101007a88b369c2d691d240e5dfdcbfd66d5b5f203c2da103461a8fd15353921074cfd0dfdd0ed2a0491e367dc0b6a9e3db3c12a379fa78b5f5830dc9ebb03c07acd96f0c6410f7299a5fada79b3afb60d412c701a7a22e7ef21e5b4776100da45a46eb2365fad67ebaa2502a5e6e8e9db94c46d259f6946f99a8897f125c0b87ba5ae3206c4b5d5f15b720d0b5016f7455092d10137fa4a8b6fa618373ba9a44f3902fd5d376ebc4855f6792fc6d5e3285311525774bb400c4efef64645957ba75a1282a9d594b89dca9d826afce9a280197649c691b00b67a214c2fa2df058c5272eb0b85658053ce80a90dbaa17551ab8541818be149304ca4b424b160f20cd91e	wpmsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9DE8690DAECF18B1A4ACD2B7CEE9B35FBBA2DDC4\Blob = 0300000001000000140000009de8690daecf18b1a4acd2b7cee9b35fbba2ddc4200000000100000057030000308203533082023ba003020102021420bbeb748527aeaa25fb381926de8dc207102b71300d06092a864886f70d01010b05003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484132301e170d3139313032333033303430385a170d3430303530353033303430385a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413230820122300d06092a864886f70d01010105000382010f003082010a0282010100f3da060f38568f5a6d95f2eba256cf4cdbba97fd6604e73aefc899187c2dd8d1f1c0fa8f8c4fc69a05afe6e4b7964f61c3b67b76f5d2ff73f9d7a013cab9160a94e6442f14cd79e8ae208288745c0f63280c756dcf23d381bad6ee6c17fc04ef5132516dd7274132b87dafb519e16338aaffddda20848430eece2f4ce7b877f16738404db86cf2b1ddeded08388f90e6507261b8f07669b17fe2b5f7971411ad07017541ea53a4e6fd28bf822e4a66855afb87c070b8d1ee1ff90dec14aa462fedb5b17439ca7a9b90221ed54c66f4d8e217acb686b3f5f0306538e8ace848185ccae2f82838d7fa35813de7d32af420a9f540e1645de795c98b77db8c6f42670203010001a3533051301d0603551d0e0416041455e94876be082d97c6565a550ba7b4104b14f6a2301f0603551d2304183016801455e94876be082d97c6565a550ba7b4104b14f6a2300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100422038356b429ed7b115c75c6c6eb16362c0f6f9747d772e4e4b2ec23d61c1750bf0b58210b6006198f0669505871a5f04078c3a35f90aafc4d3926638d8589c2c413b944846947c49935022990b0631f3735649bfca8253bc5858b298320fe2aa363d6be9f878f888a3e416a13abfb57d54d9392e4e778e71559e36ef5a918a156be2a6c868fc7b9afd9f7851a7faeedc882a39886502b623daacaa50165ed964f323184e6c982b79c5dd915a5df5ad3d260a65011a3cc3ddc28fe8d3bd38608daed8218d6002ef9a53a53c70bd2a75509847d78e4b33e7a1d048dd844651e191d563b95d3fbea0fc1c3ff1f28508c85f1c846d773ecc9feeeed6e9e47f37b5	wizcertutil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\04C604DDC5D3D37B389D086FFF0DEAE0FD9F52A0	wizcertutil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9DE8690DAECF18B1A4ACD2B7CEE9B35FBBA2DDC4	wizcertutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\04C604DDC5D3D37B389D086FFF0DEAE0FD9F52A0\Blob = 03000000010000001400000004c604ddc5d3d37b389d086fff0deae0fd9f52a0200000000100000057030000308203533082023ba003020102021474b7009ee43bc78fce6973ade1da8b18c5e8725a300d06092a864886f70d01010505003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484131301e170d3139313032333033303533335a170d3430303530353033303533335a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c27feb98a564b360a80aaa5b9fe67416af79858286a82f1f61355b1435df90f9a6f7da8700c3188a702eac88c4ea781d468c34ba4150877b0c975f12d6b24fbd36b9296460bb6aa8e01d983c9e4bafda06db4fe05ddbf067fab1cc6a26c93f009fe347924a04da2a3e3878061b5466031afcdcae5ce040afb2be5980adb61da7537df90eb5d2d1809e0c5fc97d64656526ebece124fa927886fcc8653b3a205d639914506c2918f2a73a5e378687a850e5437698ce72d3b880d2e27b9412fa84bd77a4f2216ddc795288319eec534651ad2386cf81c818ecaeadaabfad971c223c435ac15ba3aff4e082be65a5b36be8e9321bba67175ee4ef9da9f08612243f0203010001a3533051301d0603551d0e041604141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21301f0603551d230418301680141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101007a88b369c2d691d240e5dfdcbfd66d5b5f203c2da103461a8fd15353921074cfd0dfdd0ed2a0491e367dc0b6a9e3db3c12a379fa78b5f5830dc9ebb03c07acd96f0c6410f7299a5fada79b3afb60d412c701a7a22e7ef21e5b4776100da45a46eb2365fad67ebaa2502a5e6e8e9db94c46d259f6946f99a8897f125c0b87ba5ae3206c4b5d5f15b720d0b5016f7455092d10137fa4a8b6fa618373ba9a44f3902fd5d376ebc4855f6792fc6d5e3285311525774bb400c4efef64645957ba75a1282a9d594b89dca9d826afce9a280197649c691b00b67a214c2fa2df058c5272eb0b85658053ce80a90dbaa17551ab8541818be149304ca4b424b160f20cd91e	wizcertutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	wpmsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	veraport-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	veraport-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9DE8690DAECF18B1A4ACD2B7CEE9B35FBBA2DDC4\Blob = 190000000100000010000000c94ae95612b49497def648c8be0d81020f0000000100000020000000305d8552cda90543300c4b19400d9f469a9000f0a13d21c167734e20b17fa2c50300000001000000140000009de8690daecf18b1a4acd2b7cee9b35fbba2ddc414000000010000001400000055e94876be082d97c6565a550ba7b4104b14f6a2200000000100000057030000308203533082023ba003020102021420bbeb748527aeaa25fb381926de8dc207102b71300d06092a864886f70d01010b05003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484132301e170d3139313032333033303430385a170d3430303530353033303430385a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413230820122300d06092a864886f70d01010105000382010f003082010a0282010100f3da060f38568f5a6d95f2eba256cf4cdbba97fd6604e73aefc899187c2dd8d1f1c0fa8f8c4fc69a05afe6e4b7964f61c3b67b76f5d2ff73f9d7a013cab9160a94e6442f14cd79e8ae208288745c0f63280c756dcf23d381bad6ee6c17fc04ef5132516dd7274132b87dafb519e16338aaffddda20848430eece2f4ce7b877f16738404db86cf2b1ddeded08388f90e6507261b8f07669b17fe2b5f7971411ad07017541ea53a4e6fd28bf822e4a66855afb87c070b8d1ee1ff90dec14aa462fedb5b17439ca7a9b90221ed54c66f4d8e217acb686b3f5f0306538e8ace848185ccae2f82838d7fa35813de7d32af420a9f540e1645de795c98b77db8c6f42670203010001a3533051301d0603551d0e0416041455e94876be082d97c6565a550ba7b4104b14f6a2301f0603551d2304183016801455e94876be082d97c6565a550ba7b4104b14f6a2300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100422038356b429ed7b115c75c6c6eb16362c0f6f9747d772e4e4b2ec23d61c1750bf0b58210b6006198f0669505871a5f04078c3a35f90aafc4d3926638d8589c2c413b944846947c49935022990b0631f3735649bfca8253bc5858b298320fe2aa363d6be9f878f888a3e416a13abfb57d54d9392e4e778e71559e36ef5a918a156be2a6c868fc7b9afd9f7851a7faeedc882a39886502b623daacaa50165ed964f323184e6c982b79c5dd915a5df5ad3d260a65011a3cc3ddc28fe8d3bd38608daed8218d6002ef9a53a53c70bd2a75509847d78e4b33e7a1d048dd844651e191d563b95d3fbea0fc1c3ff1f28508c85f1c846d773ecc9feeeed6e9e47f37b5	wpmsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	wpmsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\04C604DDC5D3D37B389D086FFF0DEAE0FD9F52A0\Blob = 1400000001000000140000001441f9f6d847d7ba9ce339e9b1ee12ec7d42af2103000000010000001400000004c604ddc5d3d37b389d086fff0deae0fd9f52a00f0000000100000014000000ed29bda8c145d03315d8492c6159cd508c36a080200000000100000057030000308203533082023ba003020102021474b7009ee43bc78fce6973ade1da8b18c5e8725a300d06092a864886f70d01010505003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484131301e170d3139313032333033303533335a170d3430303530353033303533335a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c27feb98a564b360a80aaa5b9fe67416af79858286a82f1f61355b1435df90f9a6f7da8700c3188a702eac88c4ea781d468c34ba4150877b0c975f12d6b24fbd36b9296460bb6aa8e01d983c9e4bafda06db4fe05ddbf067fab1cc6a26c93f009fe347924a04da2a3e3878061b5466031afcdcae5ce040afb2be5980adb61da7537df90eb5d2d1809e0c5fc97d64656526ebece124fa927886fcc8653b3a205d639914506c2918f2a73a5e378687a850e5437698ce72d3b880d2e27b9412fa84bd77a4f2216ddc795288319eec534651ad2386cf81c818ecaeadaabfad971c223c435ac15ba3aff4e082be65a5b36be8e9321bba67175ee4ef9da9f08612243f0203010001a3533051301d0603551d0e041604141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21301f0603551d230418301680141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101007a88b369c2d691d240e5dfdcbfd66d5b5f203c2da103461a8fd15353921074cfd0dfdd0ed2a0491e367dc0b6a9e3db3c12a379fa78b5f5830dc9ebb03c07acd96f0c6410f7299a5fada79b3afb60d412c701a7a22e7ef21e5b4776100da45a46eb2365fad67ebaa2502a5e6e8e9db94c46d259f6946f99a8897f125c0b87ba5ae3206c4b5d5f15b720d0b5016f7455092d10137fa4a8b6fa618373ba9a44f3902fd5d376ebc4855f6792fc6d5e3285311525774bb400c4efef64645957ba75a1282a9d594b89dca9d826afce9a280197649c691b00b67a214c2fa2df058c5272eb0b85658053ce80a90dbaa17551ab8541818be149304ca4b424b160f20cd91e	wpmsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\04C604DDC5D3D37B389D086FFF0DEAE0FD9F52A0\Blob = 19000000010000001000000033f679ed86b18586d8c7c38d19b454b40f0000000100000014000000ed29bda8c145d03315d8492c6159cd508c36a08003000000010000001400000004c604ddc5d3d37b389d086fff0deae0fd9f52a01400000001000000140000001441f9f6d847d7ba9ce339e9b1ee12ec7d42af21200000000100000057030000308203533082023ba003020102021474b7009ee43bc78fce6973ade1da8b18c5e8725a300d06092a864886f70d01010505003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484131301e170d3139313032333033303533335a170d3430303530353033303533335a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c27feb98a564b360a80aaa5b9fe67416af79858286a82f1f61355b1435df90f9a6f7da8700c3188a702eac88c4ea781d468c34ba4150877b0c975f12d6b24fbd36b9296460bb6aa8e01d983c9e4bafda06db4fe05ddbf067fab1cc6a26c93f009fe347924a04da2a3e3878061b5466031afcdcae5ce040afb2be5980adb61da7537df90eb5d2d1809e0c5fc97d64656526ebece124fa927886fcc8653b3a205d639914506c2918f2a73a5e378687a850e5437698ce72d3b880d2e27b9412fa84bd77a4f2216ddc795288319eec534651ad2386cf81c818ecaeadaabfad971c223c435ac15ba3aff4e082be65a5b36be8e9321bba67175ee4ef9da9f08612243f0203010001a3533051301d0603551d0e041604141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21301f0603551d230418301680141441f9f6d847d7ba9ce339e9b1ee12ec7d42af21300f0603551d130101ff040530030101ff300d06092a864886f70d010105050003820101007a88b369c2d691d240e5dfdcbfd66d5b5f203c2da103461a8fd15353921074cfd0dfdd0ed2a0491e367dc0b6a9e3db3c12a379fa78b5f5830dc9ebb03c07acd96f0c6410f7299a5fada79b3afb60d412c701a7a22e7ef21e5b4776100da45a46eb2365fad67ebaa2502a5e6e8e9db94c46d259f6946f99a8897f125c0b87ba5ae3206c4b5d5f15b720d0b5016f7455092d10137fa4a8b6fa618373ba9a44f3902fd5d376ebc4855f6792fc6d5e3285311525774bb400c4efef64645957ba75a1282a9d594b89dca9d826afce9a280197649c691b00b67a214c2fa2df058c5272eb0b85658053ce80a90dbaa17551ab8541818be149304ca4b424b160f20cd91e	wpmsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	wpmsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9DE8690DAECF18B1A4ACD2B7CEE9B35FBBA2DDC4	wpmsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9DE8690DAECF18B1A4ACD2B7CEE9B35FBBA2DDC4\Blob = 14000000010000001400000055e94876be082d97c6565a550ba7b4104b14f6a20300000001000000140000009de8690daecf18b1a4acd2b7cee9b35fbba2ddc40f0000000100000020000000305d8552cda90543300c4b19400d9f469a9000f0a13d21c167734e20b17fa2c5200000000100000057030000308203533082023ba003020102021420bbeb748527aeaa25fb381926de8dc207102b71300d06092a864886f70d01010b05003039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d53484132301e170d3139313032333033303430385a170d3430303530353033303430385a3039310b3009060355040613024b523110300e060355040a0c0757495a564552413118301606035504030c0f57495a564552412d43412d5348413230820122300d06092a864886f70d01010105000382010f003082010a0282010100f3da060f38568f5a6d95f2eba256cf4cdbba97fd6604e73aefc899187c2dd8d1f1c0fa8f8c4fc69a05afe6e4b7964f61c3b67b76f5d2ff73f9d7a013cab9160a94e6442f14cd79e8ae208288745c0f63280c756dcf23d381bad6ee6c17fc04ef5132516dd7274132b87dafb519e16338aaffddda20848430eece2f4ce7b877f16738404db86cf2b1ddeded08388f90e6507261b8f07669b17fe2b5f7971411ad07017541ea53a4e6fd28bf822e4a66855afb87c070b8d1ee1ff90dec14aa462fedb5b17439ca7a9b90221ed54c66f4d8e217acb686b3f5f0306538e8ace848185ccae2f82838d7fa35813de7d32af420a9f540e1645de795c98b77db8c6f42670203010001a3533051301d0603551d0e0416041455e94876be082d97c6565a550ba7b4104b14f6a2301f0603551d2304183016801455e94876be082d97c6565a550ba7b4104b14f6a2300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100422038356b429ed7b115c75c6c6eb16362c0f6f9747d772e4e4b2ec23d61c1750bf0b58210b6006198f0669505871a5f04078c3a35f90aafc4d3926638d8589c2c413b944846947c49935022990b0631f3735649bfca8253bc5858b298320fe2aa363d6be9f878f888a3e416a13abfb57d54d9392e4e778e71559e36ef5a918a156be2a6c868fc7b9afd9f7851a7faeedc882a39886502b623daacaa50165ed964f323184e6c982b79c5dd915a5df5ad3d260a65011a3cc3ddc28fe8d3bd38608daed8218d6002ef9a53a53c70bd2a75509847d78e4b33e7a1d048dd844651e191d563b95d3fbea0fc1c3ff1f28508c85f1c846d773ecc9feeeed6e9e47f37b5	wpmsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

veraport20unloader.exewizcertutil.exeWizSvcUtil.exewpmsvc.exewpmsvc.exeveraport-x64.exe

pid	process
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
564	wizcertutil.exe
1892	WizSvcUtil.exe
976	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
552	veraport-x64.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe
1716	wpmsvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

veraport-g3-x64.tmpwpmsvcsetup.tmp

pid process

1444 veraport-g3-x64.tmp
1904 wpmsvcsetup.tmp

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

veraport20unloader.exeveraport20unloader.exewizcertutil.exeveraport-x64.exe

pid	process
1704	veraport20unloader.exe
1704	veraport20unloader.exe
368	veraport20unloader.exe
368	veraport20unloader.exe
564	wizcertutil.exe
564	wizcertutil.exe
552	veraport-x64.exe
552	veraport-x64.exe
552	veraport-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

veraport-g3-x64.exeveraport-g3-x64.tmpwizcertutil.exe

description	pid	process	target process
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1072 wrote to memory of 1444	1072	veraport-g3-x64.exe	veraport-g3-x64.tmp
PID 1444 wrote to memory of 1996	1444	veraport-g3-x64.tmp	sc.exe
PID 1444 wrote to memory of 1996	1444	veraport-g3-x64.tmp	sc.exe
PID 1444 wrote to memory of 1996	1444	veraport-g3-x64.tmp	sc.exe
PID 1444 wrote to memory of 1996	1444	veraport-g3-x64.tmp	sc.exe
PID 1444 wrote to memory of 1704	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 1704	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 1704	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 1704	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 368	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 368	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 368	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 368	1444	veraport-g3-x64.tmp	veraport20unloader.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 916	1444	veraport-g3-x64.tmp	regsvr32.exe
PID 1444 wrote to memory of 1648	1444	veraport-g3-x64.tmp	wizveraregsvr.exe
PID 1444 wrote to memory of 1648	1444	veraport-g3-x64.tmp	wizveraregsvr.exe
PID 1444 wrote to memory of 1648	1444	veraport-g3-x64.tmp	wizveraregsvr.exe
PID 1444 wrote to memory of 1648	1444	veraport-g3-x64.tmp	wizveraregsvr.exe
PID 1444 wrote to memory of 564	1444	veraport-g3-x64.tmp	wizcertutil.exe
PID 1444 wrote to memory of 564	1444	veraport-g3-x64.tmp	wizcertutil.exe
PID 1444 wrote to memory of 564	1444	veraport-g3-x64.tmp	wizcertutil.exe
PID 1444 wrote to memory of 564	1444	veraport-g3-x64.tmp	wizcertutil.exe
PID 564 wrote to memory of 664	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 664	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 664	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 664	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1800	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1800	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1800	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1800	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1016	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1016	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1016	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1016	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1704	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1704	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1704	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1704	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1076	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1076	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1076	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1076	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 964	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 964	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 964	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 964	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1064	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1064	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1064	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 1064	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 440	564	wizcertutil.exe	certutil.exe
PID 564 wrote to memory of 440	564	wizcertutil.exe	certutil.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

veraport-g3-x64.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	veraport-g3-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{477D5B9A-6479-44F8-9718-9340119B0308} = "2"	veraport-g3-x64.tmp

C:\Users\Admin\AppData\Local\Temp\veraport-g3-x64.exe
"C:\Users\Admin\AppData\Local\Temp\veraport-g3-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\is-7THH0.tmp\veraport-g3-x64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7THH0.tmp\veraport-g3-x64.tmp" /SL5="$3011A,6537973,54272,C:\Users\Admin\AppData\Local\Temp\veraport-g3-x64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1444

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" stop WizveraPMSvc
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe" /addloopback
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe" /link
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:916

C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
"C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wizcertutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wizcertutil.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i wizvera_ca.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i wizvera_ca.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe" -A -n "WIZVERA-CA-SHA1" -t "TCu,Cuw,Tuw" -i wizvera1_ca.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA1" -t "TCu,Cuw,Tuw" -i wizvera1_ca.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i wizvera_ca.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i wizvera_ca.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe" -A -n "WIZVERA-CA-SHA1" -t "TCu,Cuw,Tuw" -i wizvera1_ca.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
PID:1064

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA1" -t "TCu,Cuw,Tuw" -i wizvera1_ca.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.default-release"
4⤵
- Executes dropped EXE
PID:440

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i wizvera_ca.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.Admin"
4⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i wizvera_ca.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.Admin"
4⤵
- Executes dropped EXE
PID:696

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe" -A -n "WIZVERA-CA-SHA1" -t "TCu,Cuw,Tuw" -i wizvera1_ca.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.Admin"
4⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA1" -t "TCu,Cuw,Tuw" -i wizvera1_ca.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jl56y3z6.Admin"
4⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wpmsvcsetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wpmsvcsetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\is-1S4V2.tmp\wpmsvcsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1S4V2.tmp\wpmsvcsetup.tmp" /SL5="$501A6,1729076,54272,C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wpmsvcsetup.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" stop WizveraPMSvc
5⤵
PID:1680

C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe
"C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
5⤵
PID:2008

C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe
"C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start WizveraPMSvc
5⤵
PID:1184

C:\Program Files\Wizvera\Veraport20\veraport-x64.exe
"C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" start WizveraPMSvc
3⤵
PID:1016

C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe
"C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Wizvera\Veraport20\veraport20.dll
MD5
44747493cbcd4d0d826ac88ab1096098

SHA1
ae42c411bcc6ebcdf9e7d836276a5b340befe1ce

SHA256
c41ab84b0a7dc7ba2f3bda085c50fc59d4e47ed23e4b309dff9300e285e51676

SHA512
f56c5bf9d9677a6a4b3ce719a31d82254ff1f37bfe27c40f93654e5aafd0fb4212ac50141acd2ce3f35d62127a1d8734ec784c699e1fbdc91bdb14f5628e6573

Download Submit
C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
MD5
aa4ef1c182a79f24b519167c41fab32e

SHA1
d87210debd30250c8d9c3091d2a7ed1a3c662d1b

SHA256
5f196219171fb668b4022acbe3e1d58a90d202d0622d6ebcd67d224ad9ed58db

SHA512
2ea4a65126b44a1dbd467297d0d769f6aafd7e9d084b79af8bc967f0ac382a766b0f6940d5df15101f585ee2c07e75a40d87d6a0b1c987c863fb6df50a933c07

Download Submit
C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
MD5
aa4ef1c182a79f24b519167c41fab32e

SHA1
d87210debd30250c8d9c3091d2a7ed1a3c662d1b

SHA256
5f196219171fb668b4022acbe3e1d58a90d202d0622d6ebcd67d224ad9ed58db

SHA512
2ea4a65126b44a1dbd467297d0d769f6aafd7e9d084b79af8bc967f0ac382a766b0f6940d5df15101f585ee2c07e75a40d87d6a0b1c987c863fb6df50a933c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THH0.tmp\veraport-g3-x64.tmp
MD5
67c5a4f36e1c91a3b85e440edd7ad026

SHA1
e49ea0e558ed682498cc61b3070e4c402fbf0912

SHA256
99c299d6565ab53d9af66e0146737dc0ecfbc52ecf4740825b552db0cc4210c6

SHA512
40522d4645ece0db9888ea40d1a11356aa5efc191184a0b97cb54a6c243532b1fc306e9095bbfa1f5dc02c8e52b709650230d1383532136e56caea3dc19a973e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THH0.tmp\veraport-g3-x64.tmp
MD5
67c5a4f36e1c91a3b85e440edd7ad026

SHA1
e49ea0e558ed682498cc61b3070e4c402fbf0912

SHA256
99c299d6565ab53d9af66e0146737dc0ecfbc52ecf4740825b552db0cc4210c6

SHA512
40522d4645ece0db9888ea40d1a11356aa5efc191184a0b97cb54a6c243532b1fc306e9095bbfa1f5dc02c8e52b709650230d1383532136e56caea3dc19a973e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\MSVCR71.dll
MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
MD5
a253cbbfbceee37dd90b999d26542038

SHA1
6a7a056c1f4be22af7acb1e852490e7068576315

SHA256
74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa

SHA512
64863efa65d618273999439305cec0a0d4436ee896e6a231848565d372a98ed8a67607365b61e2e85e4145e73219ace56e44e13eddc52d948ec706767929d3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
MD5
a253cbbfbceee37dd90b999d26542038

SHA1
6a7a056c1f4be22af7acb1e852490e7068576315

SHA256
74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa

SHA512
64863efa65d618273999439305cec0a0d4436ee896e6a231848565d372a98ed8a67607365b61e2e85e4145e73219ace56e44e13eddc52d948ec706767929d3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\nspr4.dll
MD5
4290f101800094ec7b8443cc9be8a27d

SHA1
44e6783dcb5aab7657b8cd8d1d80ababc23ce184

SHA256
115891a18b53cbcb92850a6592ebd49657c61564bdfc980defd31a162fa48835

SHA512
6734f5b526562c4bd5da575c1147d49c69949479ba7520605fbbc86f22cd0ea2a97d78f01d665bfba24b0d62463a3ad1cf2bee715bd592690412255b94132ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\nss3.dll
MD5
09cacf1074663b90a88c2345f42425ff

SHA1
1e39acf3943ac3b4b603028619bf736b25458691

SHA256
775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357

SHA512
4477902f79c7cb90f8b450279b6b6cc3e40677d899d10f9d4913fc33e5ea85ca1d4a01f5099ff684279b7eb8a3f516663cf30942500270888fe59ae2ef26f363

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\plc4.dll
MD5
a92fb57b8c875df18efe4d22041fe4a1

SHA1
3223b2c4b2d52ed7ba96ecf7642a3e85efad74fa

SHA256
dd1b461e36803f4182e009db962d1f58181725e82e28d6f0c4aa8774e5af6a69

SHA512
d798ed0f62de8072b6bea8f98d81249922ce4ef36a6b64210086394f34dc529cd7fe5d06b0f72848ee401d477eb04ca528c7adf833744e221b0482f375aee2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\plds4.dll
MD5
c1d41c933445ece136b075054ceca505

SHA1
eb102b2bb225b408c54a76f1aefde9d1ef3b5fbd

SHA256
bbdb559858f7e0e4ab347816bfee8679d788bf2548fad6b15bb509153fffe189

SHA512
99c3506a1fc044672fdc174a738121c003195e6f692d4ae74771d610cdb03a691416c388ace8523c14a5d505c201a03f9e1e545e181406e9697e56cf9b12e6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\smime3.dll
MD5
031a02aadf62df41f8558a18e5d280a9

SHA1
2e86e1888c5f2a0b3f6db33aa3807720c3552b6d

SHA256
99f21b76ef9fd0b3842fc5c3de62bd9f5c0fe554b0f9b25fa75055c07b3a71f2

SHA512
17095add41686ca495ee27559e6eaee998bcc4f28b02a49d48a44a76e65aba2ab6bd294b11fba4f8bb23c0d774c7c5d6d169bd9671be8300abc6b121679661cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\softokn3.dll
MD5
b2ad88dd7b83b62695b764d1dadfc15d

SHA1
3038440c37c3017f2cd830425fdb9c4766d7ba7e

SHA256
80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037

SHA512
8af47c36e2b56a4d9beb46d6831f2210c4ff7affa38344cb21f6a2f6e724327a51f5aa0ea23f8b7abc39f3212b10e55e532c516f4aeb31b462b4234b5748be27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\MSVCR120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\nspr4.dll
MD5
bd0e897dbc2dcc0cf1287ffd7c734cf0

SHA1
5c9c6c6082127d106520ff2e88d4cd4b665d134f

SHA256
2d2096447b366d6640f2670edb474ab208d8d85b5650db5e80cc985d1189f911

SHA512
db21b151b9877c9b5a5dc2eda3afa6a75a827ce1f340032427b7de1d9f9803767aecc582862b58885f456c78fc75ee529581089b725975600e45c6af785280a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\nss3.dll
MD5
54f3932864eed803bd1cb82df43f0c76

SHA1
675960acfed6df22ae0a41973b08494554b37f1a

SHA256
96e068e6162a98d212b57c86b14fc539f1bbdccd363f68efd8cdfecc90c699d3

SHA512
3e1eccb33b8371dbe4801c5c3909130eb4e2a8a9aec80d2c7b2528b00dd137c5ffe672095963d207b48e10f8e024c34fe841aa7ed22c7b7fa6e058165fce90b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\nssutil3.dll
MD5
c19416e9cf9e571068ca14276c6e0620

SHA1
b5e8ee4659b678fb3b234055b1eeda920eb20b30

SHA256
ba9341807b42e90bb0380d51a83d3d6a0de7d57b6820a8b0cbe5e36e978860fa

SHA512
5cde579f66e0677f1419dc11723e1f7b5a7d408b4b3250e26aa0c0863a46b6fd86f17813416769f1eec89375f3c9c83fed468a17d1ef80f83ff1744927e7da79

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\plc4.dll
MD5
88b4df8d7d536a195f866b70c48ed534

SHA1
a385bcd411c3dfad1c08cf56977c1ba45ecbf2f9

SHA256
09f01488a002915b8472a4e82adb7a3e8cb43bd77db347b0178eae614f846a0a

SHA512
b8291cc96a40391d69a75dd348204083f2e21a752a8af3339fd524f8dbb9947575c33eb8ecf77fc177cf2e3568777b2de267cf63301034b28adcfef40ab821c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\plds4.dll
MD5
b7ed50495d311cf6e7ad247968dd2079

SHA1
3364725821ea012f8fa99df102677befc5ff929f

SHA256
20166e281b31ae60672b9d87cb69fcba0c38cc5e18a8ba081c5601ccfab7589f

SHA512
a783f0a00d016a5974f87399637bddd5a5821e3a79c5acb2f6b3f097c9bffefb8a1dee7d968c0646faa2d854a105c57988d244d9c47fb9c189d8383c00a8d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\smime3.dll
MD5
94624bbab23a92e0a5f90cce9a5a340d

SHA1
a81d1e0a2c75657f698cee9346fa85423b9b365f

SHA256
b0104ea7aaa257b111982bd0763c1c47fff76bd70249f84dcad834d50444df1a

SHA512
d623e4d271a0dcc0f16e4a2dc4d10422de42445d6da60a5fdb149c511b5e5363de448696592e11dce118f950eed2e92cffb78056c80e1a8e3a42d44ec54cb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\softokn3.dll
MD5
6832b9a7ab871d81be42054f117b8299

SHA1
935c0fe7e6cb356a8854e3b7046fd7fc0aa29c61

SHA256
b1316e04b3bf464906f4e015d3e71b4e06a65cc6e59a20a96984ee1e862dcb0e

SHA512
e6579f7df7b3c43219e47630a6b51a576d2ffa9902ddb0f309f5ccb210242dd16ebec75439b2bac22e5cb0b62984386cb6eb4190b2914827b79e3e4afbbdee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\sqlite3.dll
MD5
3a58690aff7051bb18ea9d764a450551

SHA1
5ce859b3229da70925ffa25564cb6d7c84dd6c36

SHA256
d2d0b729837574d2eb6adac4f819bc4f8534ac9a43b17663942b2401a02db02a

SHA512
299634094a624ee8ad2898d3f2bdf8fee23f234c160992e68d087af828a16ff18e3d1fb1ca5755e82f592d6e3e335c63a9c8dad04ef003d2127bbfcdbec649d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
MD5
071f222dbbc34c2fc4e3b8b73da72d86

SHA1
fc1987149162393d6e14ba0ebe76accef9cb2eed

SHA256
cc070571db19ff9064018f03a4f9c420447669412021f60491245a1024f6f35f

SHA512
68ea56208252ea215b58d1f4ab62ffc7bf63065684c4500db764ed22fcd55b9e623be278d78f0d0581707c3c782c3741e94af67c2a13b4b837fe7d03eb37fc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
MD5
071f222dbbc34c2fc4e3b8b73da72d86

SHA1
fc1987149162393d6e14ba0ebe76accef9cb2eed

SHA256
cc070571db19ff9064018f03a4f9c420447669412021f60491245a1024f6f35f

SHA512
68ea56208252ea215b58d1f4ab62ffc7bf63065684c4500db764ed22fcd55b9e623be278d78f0d0581707c3c782c3741e94af67c2a13b4b837fe7d03eb37fc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
MD5
071f222dbbc34c2fc4e3b8b73da72d86

SHA1
fc1987149162393d6e14ba0ebe76accef9cb2eed

SHA256
cc070571db19ff9064018f03a4f9c420447669412021f60491245a1024f6f35f

SHA512
68ea56208252ea215b58d1f4ab62ffc7bf63065684c4500db764ed22fcd55b9e623be278d78f0d0581707c3c782c3741e94af67c2a13b4b837fe7d03eb37fc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wizcertutil.exe
MD5
877dc5d45d64ea54963bd1e1cb58afec

SHA1
d7dd7501299871734ff315616e234bda47036a76

SHA256
901ad24d8606923afa215a8f34e3e71189d915d077f9f2d13800885caac52978

SHA512
1b7d45014264bfb8a462c87f10df38550b7843e10877278ee7150c0c519eaa737988f38768e1a9d3c2b527ea492ded17b48a38cba483fa4d7e264611003ff409

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wizcertutil.exe
MD5
877dc5d45d64ea54963bd1e1cb58afec

SHA1
d7dd7501299871734ff315616e234bda47036a76

SHA256
901ad24d8606923afa215a8f34e3e71189d915d077f9f2d13800885caac52978

SHA512
1b7d45014264bfb8a462c87f10df38550b7843e10877278ee7150c0c519eaa737988f38768e1a9d3c2b527ea492ded17b48a38cba483fa4d7e264611003ff409

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wizvera_ca.crt
MD5
7a65b4226f7b4f594bb4800e3b0996c6

SHA1
5008a17a4426675a5781980151f0f2d06f31cc77

SHA256
905c65b5d8e5436932fe9ee5781ebc26e26b9e302790689058e48bda376ddfa5

SHA512
09fa5ab2ea077dc2a27c2e421a0aecd525ec0bbe27e6442177ca48c753ae74811f8c1851cab376bdd09e616c318d09cddcb4a79861fc716fc2ca37123acfd3ca

Download Submit
\Program Files\Wizvera\Veraport20\veraport20.dll
MD5
44747493cbcd4d0d826ac88ab1096098

SHA1
ae42c411bcc6ebcdf9e7d836276a5b340befe1ce

SHA256
c41ab84b0a7dc7ba2f3bda085c50fc59d4e47ed23e4b309dff9300e285e51676

SHA512
f56c5bf9d9677a6a4b3ce719a31d82254ff1f37bfe27c40f93654e5aafd0fb4212ac50141acd2ce3f35d62127a1d8734ec784c699e1fbdc91bdb14f5628e6573

Download Submit
\Program Files\Wizvera\Veraport20\veraport20.dll
MD5
44747493cbcd4d0d826ac88ab1096098

SHA1
ae42c411bcc6ebcdf9e7d836276a5b340befe1ce

SHA256
c41ab84b0a7dc7ba2f3bda085c50fc59d4e47ed23e4b309dff9300e285e51676

SHA512
f56c5bf9d9677a6a4b3ce719a31d82254ff1f37bfe27c40f93654e5aafd0fb4212ac50141acd2ce3f35d62127a1d8734ec784c699e1fbdc91bdb14f5628e6573

Download Submit
\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
MD5
aa4ef1c182a79f24b519167c41fab32e

SHA1
d87210debd30250c8d9c3091d2a7ed1a3c662d1b

SHA256
5f196219171fb668b4022acbe3e1d58a90d202d0622d6ebcd67d224ad9ed58db

SHA512
2ea4a65126b44a1dbd467297d0d769f6aafd7e9d084b79af8bc967f0ac382a766b0f6940d5df15101f585ee2c07e75a40d87d6a0b1c987c863fb6df50a933c07

Download Submit
\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
MD5
aa4ef1c182a79f24b519167c41fab32e

SHA1
d87210debd30250c8d9c3091d2a7ed1a3c662d1b

SHA256
5f196219171fb668b4022acbe3e1d58a90d202d0622d6ebcd67d224ad9ed58db

SHA512
2ea4a65126b44a1dbd467297d0d769f6aafd7e9d084b79af8bc967f0ac382a766b0f6940d5df15101f585ee2c07e75a40d87d6a0b1c987c863fb6df50a933c07

Download Submit
\Users\Admin\AppData\Local\Temp\is-7THH0.tmp\veraport-g3-x64.tmp
MD5
67c5a4f36e1c91a3b85e440edd7ad026

SHA1
e49ea0e558ed682498cc61b3070e4c402fbf0912

SHA256
99c299d6565ab53d9af66e0146737dc0ecfbc52ecf4740825b552db0cc4210c6

SHA512
40522d4645ece0db9888ea40d1a11356aa5efc191184a0b97cb54a6c243532b1fc306e9095bbfa1f5dc02c8e52b709650230d1383532136e56caea3dc19a973e

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
MD5
a253cbbfbceee37dd90b999d26542038

SHA1
6a7a056c1f4be22af7acb1e852490e7068576315

SHA256
74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa

SHA512
64863efa65d618273999439305cec0a0d4436ee896e6a231848565d372a98ed8a67607365b61e2e85e4145e73219ace56e44e13eddc52d948ec706767929d3c2

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
MD5
a253cbbfbceee37dd90b999d26542038

SHA1
6a7a056c1f4be22af7acb1e852490e7068576315

SHA256
74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa

SHA512
64863efa65d618273999439305cec0a0d4436ee896e6a231848565d372a98ed8a67607365b61e2e85e4145e73219ace56e44e13eddc52d948ec706767929d3c2

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
MD5
a253cbbfbceee37dd90b999d26542038

SHA1
6a7a056c1f4be22af7acb1e852490e7068576315

SHA256
74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa

SHA512
64863efa65d618273999439305cec0a0d4436ee896e6a231848565d372a98ed8a67607365b61e2e85e4145e73219ace56e44e13eddc52d948ec706767929d3c2

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\certutil.exe
MD5
a253cbbfbceee37dd90b999d26542038

SHA1
6a7a056c1f4be22af7acb1e852490e7068576315

SHA256
74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa

SHA512
64863efa65d618273999439305cec0a0d4436ee896e6a231848565d372a98ed8a67607365b61e2e85e4145e73219ace56e44e13eddc52d948ec706767929d3c2

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\msvcr71.dll
MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\nspr4.dll
MD5
4290f101800094ec7b8443cc9be8a27d

SHA1
44e6783dcb5aab7657b8cd8d1d80ababc23ce184

SHA256
115891a18b53cbcb92850a6592ebd49657c61564bdfc980defd31a162fa48835

SHA512
6734f5b526562c4bd5da575c1147d49c69949479ba7520605fbbc86f22cd0ea2a97d78f01d665bfba24b0d62463a3ad1cf2bee715bd592690412255b94132ce8

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\nss3.dll
MD5
09cacf1074663b90a88c2345f42425ff

SHA1
1e39acf3943ac3b4b603028619bf736b25458691

SHA256
775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357

SHA512
4477902f79c7cb90f8b450279b6b6cc3e40677d899d10f9d4913fc33e5ea85ca1d4a01f5099ff684279b7eb8a3f516663cf30942500270888fe59ae2ef26f363

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\plc4.dll
MD5
a92fb57b8c875df18efe4d22041fe4a1

SHA1
3223b2c4b2d52ed7ba96ecf7642a3e85efad74fa

SHA256
dd1b461e36803f4182e009db962d1f58181725e82e28d6f0c4aa8774e5af6a69

SHA512
d798ed0f62de8072b6bea8f98d81249922ce4ef36a6b64210086394f34dc529cd7fe5d06b0f72848ee401d477eb04ca528c7adf833744e221b0482f375aee2b1

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\plds4.dll
MD5
c1d41c933445ece136b075054ceca505

SHA1
eb102b2bb225b408c54a76f1aefde9d1ef3b5fbd

SHA256
bbdb559858f7e0e4ab347816bfee8679d788bf2548fad6b15bb509153fffe189

SHA512
99c3506a1fc044672fdc174a738121c003195e6f692d4ae74771d610cdb03a691416c388ace8523c14a5d505c201a03f9e1e545e181406e9697e56cf9b12e6b4

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\smime3.dll
MD5
031a02aadf62df41f8558a18e5d280a9

SHA1
2e86e1888c5f2a0b3f6db33aa3807720c3552b6d

SHA256
99f21b76ef9fd0b3842fc5c3de62bd9f5c0fe554b0f9b25fa75055c07b3a71f2

SHA512
17095add41686ca495ee27559e6eaee998bcc4f28b02a49d48a44a76e65aba2ab6bd294b11fba4f8bb23c0d774c7c5d6d169bd9671be8300abc6b121679661cd

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss\softokn3.dll
MD5
b2ad88dd7b83b62695b764d1dadfc15d

SHA1
3038440c37c3017f2cd830425fdb9c4766d7ba7e

SHA256
80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037

SHA512
8af47c36e2b56a4d9beb46d6831f2210c4ff7affa38344cb21f6a2f6e724327a51f5aa0ea23f8b7abc39f3212b10e55e532c516f4aeb31b462b4234b5748be27

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\certutil.exe
MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\msvcr120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\nspr4.dll
MD5
bd0e897dbc2dcc0cf1287ffd7c734cf0

SHA1
5c9c6c6082127d106520ff2e88d4cd4b665d134f

SHA256
2d2096447b366d6640f2670edb474ab208d8d85b5650db5e80cc985d1189f911

SHA512
db21b151b9877c9b5a5dc2eda3afa6a75a827ce1f340032427b7de1d9f9803767aecc582862b58885f456c78fc75ee529581089b725975600e45c6af785280a9

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\nss3.dll
MD5
54f3932864eed803bd1cb82df43f0c76

SHA1
675960acfed6df22ae0a41973b08494554b37f1a

SHA256
96e068e6162a98d212b57c86b14fc539f1bbdccd363f68efd8cdfecc90c699d3

SHA512
3e1eccb33b8371dbe4801c5c3909130eb4e2a8a9aec80d2c7b2528b00dd137c5ffe672095963d207b48e10f8e024c34fe841aa7ed22c7b7fa6e058165fce90b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\nssutil3.dll
MD5
c19416e9cf9e571068ca14276c6e0620

SHA1
b5e8ee4659b678fb3b234055b1eeda920eb20b30

SHA256
ba9341807b42e90bb0380d51a83d3d6a0de7d57b6820a8b0cbe5e36e978860fa

SHA512
5cde579f66e0677f1419dc11723e1f7b5a7d408b4b3250e26aa0c0863a46b6fd86f17813416769f1eec89375f3c9c83fed468a17d1ef80f83ff1744927e7da79

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\plc4.dll
MD5
88b4df8d7d536a195f866b70c48ed534

SHA1
a385bcd411c3dfad1c08cf56977c1ba45ecbf2f9

SHA256
09f01488a002915b8472a4e82adb7a3e8cb43bd77db347b0178eae614f846a0a

SHA512
b8291cc96a40391d69a75dd348204083f2e21a752a8af3339fd524f8dbb9947575c33eb8ecf77fc177cf2e3568777b2de267cf63301034b28adcfef40ab821c1

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\plds4.dll
MD5
b7ed50495d311cf6e7ad247968dd2079

SHA1
3364725821ea012f8fa99df102677befc5ff929f

SHA256
20166e281b31ae60672b9d87cb69fcba0c38cc5e18a8ba081c5601ccfab7589f

SHA512
a783f0a00d016a5974f87399637bddd5a5821e3a79c5acb2f6b3f097c9bffefb8a1dee7d968c0646faa2d854a105c57988d244d9c47fb9c189d8383c00a8d2fe

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\smime3.dll
MD5
94624bbab23a92e0a5f90cce9a5a340d

SHA1
a81d1e0a2c75657f698cee9346fa85423b9b365f

SHA256
b0104ea7aaa257b111982bd0763c1c47fff76bd70249f84dcad834d50444df1a

SHA512
d623e4d271a0dcc0f16e4a2dc4d10422de42445d6da60a5fdb149c511b5e5363de448696592e11dce118f950eed2e92cffb78056c80e1a8e3a42d44ec54cb9f3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\nss_sql\softokn3.dll
MD5
6832b9a7ab871d81be42054f117b8299

SHA1
935c0fe7e6cb356a8854e3b7046fd7fc0aa29c61

SHA256
b1316e04b3bf464906f4e015d3e71b4e06a65cc6e59a20a96984ee1e862dcb0e

SHA512
e6579f7df7b3c43219e47630a6b51a576d2ffa9902ddb0f309f5ccb210242dd16ebec75439b2bac22e5cb0b62984386cb6eb4190b2914827b79e3e4afbbdee9c

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
MD5
071f222dbbc34c2fc4e3b8b73da72d86

SHA1
fc1987149162393d6e14ba0ebe76accef9cb2eed

SHA256
cc070571db19ff9064018f03a4f9c420447669412021f60491245a1024f6f35f

SHA512
68ea56208252ea215b58d1f4ab62ffc7bf63065684c4500db764ed22fcd55b9e623be278d78f0d0581707c3c782c3741e94af67c2a13b4b837fe7d03eb37fc63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\veraport20unloader.exe
MD5
071f222dbbc34c2fc4e3b8b73da72d86

SHA1
fc1987149162393d6e14ba0ebe76accef9cb2eed

SHA256
cc070571db19ff9064018f03a4f9c420447669412021f60491245a1024f6f35f

SHA512
68ea56208252ea215b58d1f4ab62ffc7bf63065684c4500db764ed22fcd55b9e623be278d78f0d0581707c3c782c3741e94af67c2a13b4b837fe7d03eb37fc63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PL35F.tmp\wizcertutil.exe
MD5
877dc5d45d64ea54963bd1e1cb58afec

SHA1
d7dd7501299871734ff315616e234bda47036a76

SHA256
901ad24d8606923afa215a8f34e3e71189d915d077f9f2d13800885caac52978

SHA512
1b7d45014264bfb8a462c87f10df38550b7843e10877278ee7150c0c519eaa737988f38768e1a9d3c2b527ea492ded17b48a38cba483fa4d7e264611003ff409

Download Submit
memory/368-17-0x0000000000000000-mapping.dmp

Download
memory/440-87-0x0000000000000000-mapping.dmp

Download
memory/552-113-0x0000000000000000-mapping.dmp

Download
memory/564-32-0x0000000000000000-mapping.dmp

Download
memory/664-41-0x0000000000000000-mapping.dmp

Download
memory/696-89-0x0000000000000000-mapping.dmp

Download
memory/916-22-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/916-21-0x0000000000000000-mapping.dmp

Download
memory/964-85-0x0000000000000000-mapping.dmp

Download
memory/976-105-0x0000000000000000-mapping.dmp

Download
memory/976-107-0x0000000004940000-0x0000000004951000-memory.dmp

Filesize
68KB

Download
memory/976-106-0x0000000004530000-0x0000000004541000-memory.dmp

Filesize
68KB

Download
memory/1016-114-0x0000000000000000-mapping.dmp

Download
memory/1016-82-0x0000000000000000-mapping.dmp

Download
memory/1064-86-0x0000000000000000-mapping.dmp

Download
memory/1072-2-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/1072-9-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1076-84-0x0000000000000000-mapping.dmp

Download
memory/1112-91-0x0000000000000000-mapping.dmp

Download
memory/1184-109-0x0000000000000000-mapping.dmp

Download
memory/1444-19-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1444-4-0x0000000000000000-mapping.dmp

Download
memory/1444-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1512-90-0x0000000000000000-mapping.dmp

Download
memory/1648-88-0x0000000000000000-mapping.dmp

Download
memory/1648-26-0x0000000000000000-mapping.dmp

Download
memory/1680-98-0x0000000000000000-mapping.dmp

Download
memory/1704-83-0x0000000000000000-mapping.dmp

Download
memory/1704-13-0x0000000000000000-mapping.dmp

Download
memory/1716-111-0x00000000037A0000-0x00000000037B1000-memory.dmp

Filesize
68KB

Download
memory/1716-110-0x0000000003390000-0x00000000033A1000-memory.dmp

Filesize
68KB

Download
memory/1720-92-0x0000000000000000-mapping.dmp

Download
memory/1800-63-0x0000000000000000-mapping.dmp

Download
memory/1892-100-0x0000000000000000-mapping.dmp

Download
memory/1892-101-0x0000000004810000-0x0000000004821000-memory.dmp

Filesize
68KB

Download
memory/1892-102-0x0000000004C20000-0x0000000004C31000-memory.dmp

Filesize
68KB

Download
memory/1904-97-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1904-94-0x0000000000000000-mapping.dmp

Download
memory/1996-11-0x0000000000000000-mapping.dmp

Download
memory/2008-104-0x0000000000000000-mapping.dmp

Download