2dc7c602294fa5441e9995c2e8ecfd6caa6fd4dba6a76b15d409f5e8a4d4ac87

Analysis

max time kernel
43s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GWSetup.exe
Size

3.8MB
MD5

8f839eb818419e2dd9f1cf17112ae04e
SHA1

851befe0e6182ab117131d9cbf0b7ebf1e168b2f
SHA256

866ffae3f045e05b9847d16463571c7ccf243b6e4deac3b4f8ee7ace094a5b9f
SHA512

8d0f513e23c4eb9b1296a61e4d13fdb4f232ee2d8a0188fc5f68b5583aacb3631ec8e3593c139c817affd566f54c078882851b7c3549f328c34d22fe4aa06119
SSDEEP

98304:j9/NV2Uvj+lyF7M2F/jVfAlSKCbmLqk/Uzgbk9OC3pPbCluuVJO:5n2ki6Ye+zpAXNZPmluuu

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Sets service image path in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GWSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gwdevflt\ImagePath = "\\??\\C:\\Program Files\\Gateway\\SSLVPN\\gwdevflt.sys"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gwvsdflt\ImagePath = "\\??\\C:\\Program Files\\Gateway\\SSLVPN\\gwvsdflt.sys"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gwredirector\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\gwredirector.sys"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gwredirector6\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\gwredirector6.sys"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gwvdisk\ImagePath = "\\??\\C:\\Program Files\\Gateway\\SSLVPN\\gwvdisk.sys"	GWSetup.exe

Executes dropped EXE 2 IoCs

Processes:

gwupdater.exegwservice.exe

pid process

848 gwupdater.exe
1724 gwservice.exe

pid	process
848	gwupdater.exe
1724	gwservice.exe

Loads dropped DLL 16 IoCs

Processes:

GWSetup.exeregsvr32.exeregsvr32.exegwupdater.exegwservice.exe

pid	process
2036	GWSetup.exe
2036	GWSetup.exe
1212	regsvr32.exe
2036	GWSetup.exe
1392	regsvr32.exe
848	gwupdater.exe
848	gwupdater.exe
848	gwupdater.exe
2036	GWSetup.exe
1724	gwservice.exe
1724	gwservice.exe
1724	gwservice.exe
1724	gwservice.exe
1724	gwservice.exe
2036	GWSetup.exe
2036	GWSetup.exe

Registers COM server for autorun 1 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeGWSetup.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwieplugin_1063472f6.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ThreadingModel = "Apartment"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwsso_1063482a6.dll"	GWSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwieplugin_1063472f6.dll"	GWSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ThreadingModel = "Apartment"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwsso_1063482a6.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 10 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

GWSetup.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\ = "GWSSO BHO"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\	GWSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}	GWSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\NoExplorer = "1"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\ = "GWSSO BHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 5 IoCs

Processes:

GWSetup.exegwservice.exe

description	ioc	process
File created	C:\Program Files (x86)\Gateway\SSLVPN\gwsso.dll	GWSetup.exe
File opened for modification	C:\Program Files (x86)\Gateway\SSLVPN\gwsso.dll	GWSetup.exe
File created	C:\Program Files\Gateway\SSLVPN\gwsso.dll	GWSetup.exe
File opened for modification	C:\Program Files (x86)\Gateway\SSLVPN\route.original	gwservice.exe
File created	C:\Program Files (x86)\Gateway\SSLVPN\package.conf	GWSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

GWSetup.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}\ProxyStubClsid32	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE664}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE664}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C509B8B-B74E-40C1-BACE-796614E67746}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Gateway\\SSLVPN"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE632}\1.0\0	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481432}\TypeLib	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE664}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75D13E4F-3499-4097-9348-EDB521CDEB81}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE664}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\HELPDIR\ = "C:\\Program Files\\Gateway\\SSLVPN"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx\CLSID\ = "{100C2765-1362-4CCF-AB02-56D916BB8732}"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\ProgID\ = "Gwieplug.IeAx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\ = "IIeAx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO.1\CLSID\ = "{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwieplugin_1063472f6.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C509B8B-B74E-40C1-BACE-796614E67746}\1.0\0\win32\ = "C:\\Program Files (x86)\\Gateway\\SSLVPN\\gwsso_1063481eb.dll"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\ = "IeAx Class"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx.1\CLSID\ = "{100C2765-1362-4CCF-AB02-56D916BB8732}"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE632}"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE664}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO\CLSID\ = "{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx.1	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx.1\CLSID	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}\TypeLib	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481432}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\ = "GWSSO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\HELPDIR	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\TypeLib\ = "{81C08382-BF32-4576-BEC3-4A0B894AC55E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75D13E4F-3499-4097-9348-EDB521CDEB81}\TypeLib\Version = "1.0"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO\ = "GWSSO BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO.1\CLSID\ = "{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75D13E4F-3499-4097-9348-EDB521CDEB81}\ProxyStubClsid32	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx\CurVer\ = "Gwieplug.IeAx.1"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481432}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481432}\TypeLib\Version = "1.0"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwieplugin_1063472f6.dll"	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE632}	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\Programmable	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C509B8B-B74E-40C1-BACE-796614E67746}\1.0\HELPDIR	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\TypeLib\ = "{81C08382-BF32-4576-BEC3-4A0B894AC55E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE632}"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481432}\ProxyStubClsid32	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481432}	GWSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\ = "IeAx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C509B8B-B74E-40C1-BACE-796614E67746}\1.0\FLAGS\ = "0"	GWSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}	GWSetup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GWSetup.exe

description pid process

Token: SeRestorePrivilege 2036 GWSetup.exe
Token: SeBackupPrivilege 2036 GWSetup.exe

description	pid	process
Token: SeRestorePrivilege	2036	GWSetup.exe
Token: SeBackupPrivilege	2036	GWSetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

GWSetup.exe

description	pid	process	target process
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1212	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe
PID 2036 wrote to memory of 1392	2036	GWSetup.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\GWSetup.exe
"C:\Users\Admin\AppData\Local\Temp\GWSetup.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Program Files\Gateway\SSLVPN\gwieplugin_1063472f6.dll" /s
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1212

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Program Files\Gateway\SSLVPN\gwsso_1063482a6.dll" /s
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1392

C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
"C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848

C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exe
"C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gateway\SSLVPN\gwclient.exe
Filesize
2.0MB

MD5
170a07f04d00835ea0798b559bf480fb

SHA1
1de033004a58370d6c150acb5dc02e5bbcfa4834

SHA256
46b29b746773c85bdfaeff3a10299f5330f30e78636432393391f7386dbe8522

SHA512
964859d53324cb0d43f93623d050e6073352a7cf9a877146622ab4c3f065142ad7998dcb9b5605793b5cca05de8914376b0e12efe3c8e8a9414aac58c501801b

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwendsecurity.dll
Filesize
101KB

MD5
b3842abc50dac91746ac5a99324017df

SHA1
a2aeaf96e807cb277f2ba0933c4c81d0d0469f57

SHA256
a7215f13228fff8463801517b8dfa6e436b2d7baf846d73f003d33afed03fb03

SHA512
6962f5a62588579d2e1845c9d8c661ac447a6c005f1bcfc30fa24ae2b3901b1a34358c08d7e3e6938617dfd2710d066a4d92f82fc14bd941155da2b999db66ff

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwieplugin_1063471ec.dll
Filesize
153KB

MD5
3009e217f735dee8daf76ed57ff43943

SHA1
566389e8c75b83e18927203919a77f2ed50cbd0e

SHA256
41d63c1d6e1df99d4ff707bf50fb346cbec9142cfab3f64ff271364e9e88c259

SHA512
8f723685fdb7b7dd678ae961bbdf9e2f147b5bd991cf7ba1967d92a75b7fd5b77319cea94c9e6fb5b4289fa7986dba7b8e9ba5d95febc71e4faa6f426b777c81

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwnc.dll
Filesize
173KB

MD5
c301aab3af80765b8f88782ec3b5fbfc

SHA1
7e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88

SHA256
f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f

SHA512
74bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwnc.dll
Filesize
173KB

MD5
c301aab3af80765b8f88782ec3b5fbfc

SHA1
7e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88

SHA256
f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f

SHA512
74bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwproxy.dll
Filesize
181KB

MD5
d9e38ffbf386b57c9d2020ada5258e2d

SHA1
82f91354eb5b014deea391631d055f921507c2d7

SHA256
feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590

SHA512
0a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwproxy.dll
Filesize
181KB

MD5
d9e38ffbf386b57c9d2020ada5258e2d

SHA1
82f91354eb5b014deea391631d055f921507c2d7

SHA256
feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590

SHA512
0a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exe
Filesize
71KB

MD5
05a6fc45c44dda6b5862d58d71a1163f

SHA1
a9c369262912553068328140e7d8e014360a25bd

SHA256
e0cc8ddf6adda4134f98300f37b8c989a59d99a28569523f2fe941bdf96706a3

SHA512
f86e8e9752e118632a3560640ccb636498cf9181126144f7c8563bf6f648591a446b0620506b797626917515e9875a8a73c94f3727237fe80495f8cce27c6dcb

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exe
Filesize
71KB

MD5
05a6fc45c44dda6b5862d58d71a1163f

SHA1
a9c369262912553068328140e7d8e014360a25bd

SHA256
e0cc8ddf6adda4134f98300f37b8c989a59d99a28569523f2fe941bdf96706a3

SHA512
f86e8e9752e118632a3560640ccb636498cf9181126144f7c8563bf6f648591a446b0620506b797626917515e9875a8a73c94f3727237fe80495f8cce27c6dcb

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwsession.dll
Filesize
249KB

MD5
13646bdb256c438aa0d8ba30d1a2d014

SHA1
eb9c7665d88e1812e6d966825d4b7849f3ac3e01

SHA256
a9a769248403702ad3a0b34be4984fc3be46aa55c0937fcec9561703dca52b73

SHA512
b82a8c21fb68bedd5a22425d5e08eb7aaee3c805d99305c6c9f7aec626ce26596324194907ac2835c8d421f148483d142c51631df683e756f4a9cbf951536de4

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwsession.dll
Filesize
249KB

MD5
13646bdb256c438aa0d8ba30d1a2d014

SHA1
eb9c7665d88e1812e6d966825d4b7849f3ac3e01

SHA256
a9a769248403702ad3a0b34be4984fc3be46aa55c0937fcec9561703dca52b73

SHA512
b82a8c21fb68bedd5a22425d5e08eb7aaee3c805d99305c6c9f7aec626ce26596324194907ac2835c8d421f148483d142c51631df683e756f4a9cbf951536de4

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwsso_1063481eb.dll
Filesize
105KB

MD5
5476dd5368a016d77c985ac383c0df68

SHA1
21f472bd0b362abbfba4eb71e001fa74293b4d42

SHA256
3160955ed3d0467d8357359fcf1e7cf2551171d0df8165b66b9e05c6a4a49e4b

SHA512
0dfcbe68bbfc6fc1e03374333209d5060d2dd7ad1862e546ac83e3bb2ef445c7b94813535dd97613454dbecbff8bc555a480cef333c1c9cf8ee7133f282a0ad2

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwstub.exe
Filesize
145KB

MD5
e8774b3c9e61e95072b9880379185771

SHA1
da6ecc74624204ccb088c99304b98a603847f441

SHA256
d20867cfae171f50d499c39bb435d2f79feb1368dd8ca168c31fd88006f09377

SHA512
a50aaf0fe9ee3cebb903a6110fdc5605e9a4599c15fe17aa485a9899e23c69232ea40226ec17d3ac0bdcb09b2bb0e79b14c678e434e11bd23d13337baa19ec2f

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwtrayclient.exe
Filesize
81KB

MD5
0173f1ae0f03a0c5c858077cd0306d51

SHA1
ecadc1b52b2065cf2788df933fa90cd7b6b8c785

SHA256
42e43c7302e6510c917a8232d6e20ec2f9150cbb500394e013b7d50deae4aab7

SHA512
d181e6446607429fdf871aea406c6e7a39bcec1cac75200ac4dda98f325180416beaf4bff433d5063e63c148fa256feae5139777d04ac538a44351a9974e1bb0

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwuimng.dll
Filesize
333KB

MD5
fe543746a3e27da323305622bfe6c6fe

SHA1
27afaa28f119ac85e58c91793d37925f393ae55a

SHA256
0cf2bf9c215e9b5e82d1af576ba52d99c194ddcf5b7ce3d03a8787a02b6fb637

SHA512
e99b3b32670656e46448c0cc71f63ea856e2a8d7d30c585b2bb069ad4ecf2f07d3be222426e532d1a42a09b6f43fb793282a2dd08b41c0ffb1c298b71fb43fcc

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwuninstall.exe
Filesize
47KB

MD5
6de6bc0b185de842214f3de264643299

SHA1
d3e1f819ab07905ed0540364c2b41883d05ded22

SHA256
0ec2d646c818687e27e081c2b06ef309511dd5426c9c3841973969ffaf06e155

SHA512
872e0d1f8375008b3556eed99235943d379962f12fc02af113cc463abdf6d6cf2241b6fb64420e592208af72461f8b2f499d3a3f4c8b068c347aba39462f1c25

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
Filesize
71KB

MD5
4d941d0fed89724aef399efbe1d3ca58

SHA1
f4b7e4c9d9595f3a2245650c95446faee7d9e337

SHA256
a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5

SHA512
e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
Filesize
71KB

MD5
4d941d0fed89724aef399efbe1d3ca58

SHA1
f4b7e4c9d9595f3a2245650c95446faee7d9e337

SHA256
a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5

SHA512
e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
Filesize
71KB

MD5
4d941d0fed89724aef399efbe1d3ca58

SHA1
f4b7e4c9d9595f3a2245650c95446faee7d9e337

SHA256
a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5

SHA512
e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dll
Filesize
53KB

MD5
b9512162ace5458c987df54281fef294

SHA1
59b400c57618866bbf64528c1c5325797a0f8907

SHA256
73f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828

SHA512
23456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dll
Filesize
53KB

MD5
b9512162ace5458c987df54281fef294

SHA1
59b400c57618866bbf64528c1c5325797a0f8907

SHA256
73f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828

SHA512
23456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdctrl.dll
Filesize
68KB

MD5
fbdce60453c5ae99c7b5445d4e17fa2a

SHA1
2a2cb54dd9d8ef5cf75f56c55618f2e530848eac

SHA256
5267f70028ef3c99390ef9da6a5e6d3e86affc89a86f9d4dbd261ed29183bff4

SHA512
d9172fe5ca062008b91afc650250194d04e21edd27115383e80d8d193d359066d6ffc52b9a0099cb4259c2777fb88088a1bbb98ad3449a07b2b5eb1133420bf1

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dll
Filesize
121KB

MD5
79d2bf27cdff7d2787facee650a1162b

SHA1
85053a5045f793d5bb1e94a6b4090f5da503e85e

SHA256
c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1

SHA512
200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dll
Filesize
121KB

MD5
79d2bf27cdff7d2787facee650a1162b

SHA1
85053a5045f793d5bb1e94a6b4090f5da503e85e

SHA256
c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1

SHA512
200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\libeay32_1.dll
Filesize
1.2MB

MD5
542eb526d2dcd2940b7849b456bf91ba

SHA1
c8ce55bfd160cb58fd3fcc040e954fbb62851675

SHA256
ea1a9150ce8507ec4362bd6498d52230c893ff3a7ccbd3a0b791a3b51ffa8b1c

SHA512
415192df5b083727b96cc1d8d0a936f9d19d3d5a7194ffdfb6bb6b44fa3256e88081cdcb105a00d93c096523274afca0e49bc5d0662256ff9373420df6d02c89

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\smxengine.dll
Filesize
33KB

MD5
3dde8a8520d0caf3343e022b929d63da

SHA1
d2682c62e5010bb6c919bd9b5d5be8dd533e4c4f

SHA256
5a4907e21b6d9934986a492b3ffc7e7e33686c5120b84ee7175384a05a5c7f38

SHA512
a6ef389e1d9c4b3f60ceeec987ff202420fd4f55115fc57c7a4ad55fc7f3a01c814f66e31fd38e85fca33e3e6eec485993a55da87da613d32bbb6ba27761dba7

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\ssleay32_1.dll
Filesize
277KB

MD5
b33814f28eb5c63481a9956888897875

SHA1
7ce405afadadd885d96b414711d41591118694a0

SHA256
b722ced316f618001008f57487ea0affe0303e86478ba6ec4590ac10adc931cf

SHA512
9c2a831082f067275c1b14fd06e8db69dba59cd2831baebaf588551b84598901c358f7c8a09beb48d38f645010c16a4ea675d9a21b9e01aa0e6789de18c4bc9e

Download Submit
C:\Program Files (x86)\Gateway\SSLVPN\vsdagent.exe
Filesize
36KB

MD5
e49b805a67af4d79c9ee5070a82253e6

SHA1
7eda2972c3ed12aa6d0c785596f9bce6a99469e3

SHA256
f754f332810edaffb653f3eb5e527d90e98cf956b86a310cc7d6d8eba3351924

SHA512
456240cb9a3e9a73adecb8d76111aaa10b62cbbceaf4d67a28ec5a477f2922754b2d2623e353f02225c3afecb0d4d2d0dfee244ffb180333b58f5e913bdc4d60

Download Submit
C:\Program Files\Gateway\SSLVPN\NetFltInstaller.exe
Filesize
70KB

MD5
afecd31ca8099e05ea4b276f29027c8f

SHA1
4d517f11bcc1a77bf6b256ed69a2bc26f67e14fc

SHA256
143ad22bec182da9ede703cf71dcbfdec05c14519a04c37c9301a60aac1cf10a

SHA512
6931cbdbf31cc6409da053a8b17a33e98309561b4d93f5a9d7ff1601dc669b8266004153acc356980c7dce8f6a85044c82e79c1e63096666359fe93fae94c369

Download Submit
C:\Program Files\Gateway\SSLVPN\gwdevflt.sys
Filesize
22KB

MD5
452b2daa7cf4a9441cb28ab6fd3bc22f

SHA1
4748810ba4599c1d3fd71295878f6e0e89cfe41b

SHA256
abc9bbd3fd51ff859b2cfed69586b30ba95efcb72fe48ce5466c54e875778475

SHA512
f5b4ac12c1523803ef9b848db05320ef75c109218800445b845bd2fe67f7a7ed2e2f805d802e84297b23531576431ba7dca34851ba95d42a456aaa0139fe5eda

Download Submit
C:\Program Files\Gateway\SSLVPN\gwieplugin_1063472f6.dll
Filesize
208KB

MD5
e31a7fba086008e67136a2ad823731ed

SHA1
28e262bde6e67b47572c34079caca2c1203aa90b

SHA256
e16a314c1e0aef05a1c3fac65a2cb0122b4b65fdfca6cdca241e01a27006145c

SHA512
8d1d70216ac45fa163235e2e4591bec49aa326d3a3e3c761bb16e5dbac31b73efe627ff3eec6d75ca062e12f711628adc96da2a249c54fd6ddd890bbe3ef5af8

Download Submit
C:\Program Files\Gateway\SSLVPN\gwieplugin_1063472f6.dll
Filesize
208KB

MD5
e31a7fba086008e67136a2ad823731ed

SHA1
28e262bde6e67b47572c34079caca2c1203aa90b

SHA256
e16a314c1e0aef05a1c3fac65a2cb0122b4b65fdfca6cdca241e01a27006145c

SHA512
8d1d70216ac45fa163235e2e4591bec49aa326d3a3e3c761bb16e5dbac31b73efe627ff3eec6d75ca062e12f711628adc96da2a249c54fd6ddd890bbe3ef5af8

Download Submit
C:\Program Files\Gateway\SSLVPN\gwnetflt.cat
Filesize
8KB

MD5
87bbda53b668f653deff3f822f51863d

SHA1
3291b98abf7071f2dc6f38848997b081425ed484

SHA256
0079a76ebb09397fbdb91fc748a6dbe0f5879a079ee47b7dd8e3bf7b5adab9f2

SHA512
929cd53673aff570d0c5b100a91b84c3e939a7290256db007ae65ac234b7736c6ef6996b1d5a0bd0c013829e0d51e86c7bd6bb296da2e19336368d6c378da1ed

Download Submit
C:\Program Files\Gateway\SSLVPN\gwnetflt.sys
Filesize
28KB

MD5
21c12e94d39a15ecf6be17728ace2ee6

SHA1
b0a39d943fdf5ad3c3d5ff4d39ea072218a686ec

SHA256
75fc1a85156a01b61e0e96bcb02027a5eb65f1734ea31976693a1a5cf958ca3c

SHA512
747e19c55d7e968c5d66c82463441bd38d8c8df8d4f2b20ce4bc5adf3f6d9bbe1be337da893388983273d1a041f00883f313ed6380859d2e3b3d7e574428855f

Download Submit
C:\Program Files\Gateway\SSLVPN\gwnetflt_m.cat
Filesize
7KB

MD5
d157f3650a4b615425a9594f121fe23e

SHA1
248650339724b4b734172ebcb5ff1591486ff80a

SHA256
7ce0e109102454c33d3ee7113f4936ff4de6cda599b32cf7d997d960cf9f6989

SHA512
6e110317ded74cecaa59f2f0f2f0f6d0193295add4124eb7abdc294a3803c9231a4eff6a3e0d96ff26ed6baf807d027cd7327f967cbd64c159eabef122152b82

Download Submit
C:\Program Files\Gateway\SSLVPN\gwsso_1063482a6.dll
Filesize
137KB

MD5
ff658b3f65a9dc32b754fb91f6f47b3f

SHA1
4384db6590619244f2d9ec0dc82101cd61674620

SHA256
69178a7d19360f75324db98182441c756ba1a5ac7b1375f95ea7ae4bbeb41781

SHA512
cf848ed250a8d5d6df8756fea85d82db3586d5f0039b5e8d258878129e40426328372d57cd9ef8695eb453748fbe80785e2e1c88208608e72fbcd9eb4c4cc216

Download Submit
C:\Program Files\Gateway\SSLVPN\gwsso_1063482a6.dll
Filesize
137KB

MD5
ff658b3f65a9dc32b754fb91f6f47b3f

SHA1
4384db6590619244f2d9ec0dc82101cd61674620

SHA256
69178a7d19360f75324db98182441c756ba1a5ac7b1375f95ea7ae4bbeb41781

SHA512
cf848ed250a8d5d6df8756fea85d82db3586d5f0039b5e8d258878129e40426328372d57cd9ef8695eb453748fbe80785e2e1c88208608e72fbcd9eb4c4cc216

Download Submit
C:\Program Files\Gateway\SSLVPN\gwstub.exe
Filesize
148KB

MD5
a75f36764b561f729cc6f3aacebdb981

SHA1
e1f19ff64e79f0dd06e5bf3bb190d64d7d862063

SHA256
e8b38628f92ad8f70b5b7113667d68f5f892ae6e0eefbb5bb03a920176a13a94

SHA512
b4ea110c92aa6dd4741c437fffbabbe2f8d8f17fc6c12fdbff49c9515e3e718de32243dadb30f87b5d486915773360ce620c496259a84c7443abafb99686be70

Download Submit
C:\Program Files\Gateway\SSLVPN\gwuimng.dll
Filesize
342KB

MD5
787e3225503010165c0be2ba8b832c36

SHA1
541dec84adf9057f869b89f2d5667e6c38e66249

SHA256
cf744664a29fb9cbd81d73b4621c31b6e6d8c0107d55d11a3babdda07ea70d50

SHA512
569d0bb84c624eac42a343edb54dcf30786bf958cd925309f33ae63cdd79a8e593a20c12b3a82d6f12e2a0922955d486b5a1caf2109a511da9001bb46adada62

Download Submit
C:\Program Files\Gateway\SSLVPN\gwvdisk.sys
Filesize
43KB

MD5
dfdb967183808e18d30ab4ac2973f5cf

SHA1
0b1408cdecd6d0ad49716fff8c138ef65564e642

SHA256
3041ef0ccddc7dd2f4fb9853014685c9a8b900828f986bc92c29858700b9facb

SHA512
1fddc91fe654b6c5c7129916dc5f3a166abff55f930b9f06bec1210d3d1acb8ad07b92ff42e69c21fa9c19e6d68503241544afe5f31b35e8c92b5cc4221f565b

Download Submit
C:\Program Files\Gateway\SSLVPN\gwvsdflt.sys
Filesize
29KB

MD5
2d036f5327c849656915d0d032df91bb

SHA1
5929752a61db4def916aceed8657c0fe37fe8465

SHA256
874887c622a613da8a1b911e198d99d461c476779cd98f393bc2c60427bb6348

SHA512
3dbbe0260be0c5c01eb1e62104d2a77687ed0675f972c8810f4c61ff1c7e595bbebcc55f14247cb3c3d8efa9d4286119fa76c1f7432ea9be3ee15ceb0e6b81d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwhook.sys.64
Filesize
4KB

MD5
7b7a56233922636ee8e41f4e18f1d2da

SHA1
d47c5b016f9905afc84499ae99b40a9ccbb868d3

SHA256
bbc46848dc0ea4e3aa9647eace832005711193ef1807381df2711ad2d21e42a3

SHA512
a15720cd702cdd1bd925ec7b707306bc6512b75fe63c60f917fa6d03c31a8e609774ac676cd17a74a39732af8044bb21966420fb8674d479fb8b201f06c8dbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwnetflt.inf.64
Filesize
5KB

MD5
1a276ca58360cdf3970a0102effd1bbc

SHA1
e899d85c090111246ace2cd6b6a29581a84152cc

SHA256
9aa81a543be53012c8d19dc3520ce6a1b6adf01ae5a8609e567fae27328fa6e5

SHA512
1aa5f47e667e7ebc041531d7dfcbdd6455033f7018ec94c6ee77ba116751e14f45336d4575bb2dd07f20dcd3d2eb6a1ba42d9011e195335d36e0834cd57ae5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwnetflt_m.inf.64
Filesize
2KB

MD5
2bd235b452120e1cb6e9f12404d5344a

SHA1
1258064dfd9c734df9e98b8c3667f3374dc8af85

SHA256
1e1f1d15350512720a6c9e7bb890fc23d49d7136c1b9aadc09e1135e2aeaaf8f

SHA512
f707a166930e8cb2f0a3712b9777582c763458ad78ef2fad27fca31bf9bbd1dedd6ab2622b01a9a9c30f0f0f08c047dbf3ab9d1bd9f0c00f1d182b18e1b9f53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwupdater.dll
Filesize
237KB

MD5
c19d93253f6467231c2984abbcda95e7

SHA1
149e6cfec6eb8aff252189ca4f45881cf9b59327

SHA256
af319cc61a31810b5fb9e7471188251d1bf8e2b2a6200f1ad178856125d079fe

SHA512
d73e05d1a41dbdc541092d961ca8b6bf1d40875bf8412cc99ff422978efe1894967e69017e14f9d1d003d6de97613aaa411b4a1f0edcecddb950e4c43a938899

Download Submit
C:\Windows\System32\drivers\devcon.exe
Filesize
97KB

MD5
e32ed7a8eba0a364a9937ad9adf5e3d9

SHA1
ee5da4577cf82888a556417dfe255df044bae33a

SHA256
ea755f622519053f69846896b308c390a6a382fbc976e0654af215ef263ac49a

SHA512
c86d2aae2da5e11fd6f35759e8c891881d4a5bbf89f41e011dac9421d4932d9dc1a42c7863044d105b00ba907f5b19fc298d3d1c818943a516222f5b3fdcbd51

Download Submit
C:\Windows\System32\drivers\gwredirector.sys
Filesize
18KB

MD5
8f358f5cbda411a507ebef4617738449

SHA1
1478f92b70615ef09d6a8d1d2795e83fb834eaf8

SHA256
9dde826cf70d78ca1468435e52a21e89b197b56882ee49f9da93945b18677a6e

SHA512
5ae294aa940377d265b0503731d16d95eada8cf5aee752eba0fbb5bb969d53294ab46ec7954aaf8eda4f5af4d47acc7c76e46f10e5854d2b02d4ea5870668a41

Download Submit
C:\Windows\System32\drivers\gwredirector6.sys
Filesize
18KB

MD5
c513112ef7257f51b9cab1e12b9182a8

SHA1
7f10f29354dc08c26e4a4abbc9986fef1c227b95

SHA256
95485d3ed61334d9e4754de62fdd7d5eef605224d4d7472b5a7baee3e8cbf71a

SHA512
d9d78328e535f62571bf88d7f026bed6c8e506733148f64cc92491ef9a0a9018143b8e422746fea5dd39ffa069916d9fad0270cd54c5b6962189e4af46257115

Download Submit
C:\Windows\System32\drivers\gwvnic.cat
Filesize
8KB

MD5
c8127b034e8d45eaa6891ed5dbbbe2e5

SHA1
24e3aae092f310c07947e2ca196ecfb6a1dace60

SHA256
10fc51edec95a3a2610c2d382e11a87199b0cc4d86dd01543644fe82e989e4c8

SHA512
ac3a8c146f6939d2e02b0dc0cad9f89eabe92704ed8752008fea21069ee9458718ff8c11815a9d8b297b9f79addc5177d07fae9004f05bee5203a7babfdb9514

Download Submit
C:\Windows\System32\drivers\gwvnic.inf
Filesize
1KB

MD5
6818e12e050f56a7e01386891358ec4a

SHA1
f0a135f48011635c088d91c4cca8a9dd2087da8e

SHA256
99a96116a981ab6854abb0d12719ecbe3874d58223bb1b2da0b8d35edb6670ee

SHA512
fca20dc34dc9c62ad3c37bb37f2e846c0c32ce491b13a7ad9d35e012ec0f4ced9be2177947554270a1fdbbe50d5ca5b058617d5e8398b3e28a24d701c1cb57ef

Download Submit
C:\Windows\System32\drivers\gwvnic.sys
Filesize
25KB

MD5
844884e9b552e84851b5bf7eafb56961

SHA1
da9fab5ea344c8293885172c62778e445d86064f

SHA256
77e58c97df9c42b41f85f08cae00dad9f68728b00f30fca8418e379977aa183e

SHA512
39a1315636ae81eae3e0454ee57de5f2c128de852dd8be24f8d1d3c2d0f54d53c3cc8f0c22cf348c0524b7106c99a6a05f8a2d41b73d8dbf8dbac2107f49f638

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwieplugin_1063471ec.dll
Filesize
153KB

MD5
3009e217f735dee8daf76ed57ff43943

SHA1
566389e8c75b83e18927203919a77f2ed50cbd0e

SHA256
41d63c1d6e1df99d4ff707bf50fb346cbec9142cfab3f64ff271364e9e88c259

SHA512
8f723685fdb7b7dd678ae961bbdf9e2f147b5bd991cf7ba1967d92a75b7fd5b77319cea94c9e6fb5b4289fa7986dba7b8e9ba5d95febc71e4faa6f426b777c81

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwnc.dll
Filesize
173KB

MD5
c301aab3af80765b8f88782ec3b5fbfc

SHA1
7e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88

SHA256
f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f

SHA512
74bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwproxy.dll
Filesize
181KB

MD5
d9e38ffbf386b57c9d2020ada5258e2d

SHA1
82f91354eb5b014deea391631d055f921507c2d7

SHA256
feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590

SHA512
0a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwsession.dll
Filesize
249KB

MD5
13646bdb256c438aa0d8ba30d1a2d014

SHA1
eb9c7665d88e1812e6d966825d4b7849f3ac3e01

SHA256
a9a769248403702ad3a0b34be4984fc3be46aa55c0937fcec9561703dca52b73

SHA512
b82a8c21fb68bedd5a22425d5e08eb7aaee3c805d99305c6c9f7aec626ce26596324194907ac2835c8d421f148483d142c51631df683e756f4a9cbf951536de4

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwsso_1063481eb.dll
Filesize
105KB

MD5
5476dd5368a016d77c985ac383c0df68

SHA1
21f472bd0b362abbfba4eb71e001fa74293b4d42

SHA256
3160955ed3d0467d8357359fcf1e7cf2551171d0df8165b66b9e05c6a4a49e4b

SHA512
0dfcbe68bbfc6fc1e03374333209d5060d2dd7ad1862e546ac83e3bb2ef445c7b94813535dd97613454dbecbff8bc555a480cef333c1c9cf8ee7133f282a0ad2

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwuninstall.exe
Filesize
47KB

MD5
6de6bc0b185de842214f3de264643299

SHA1
d3e1f819ab07905ed0540364c2b41883d05ded22

SHA256
0ec2d646c818687e27e081c2b06ef309511dd5426c9c3841973969ffaf06e155

SHA512
872e0d1f8375008b3556eed99235943d379962f12fc02af113cc463abdf6d6cf2241b6fb64420e592208af72461f8b2f499d3a3f4c8b068c347aba39462f1c25

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
Filesize
71KB

MD5
4d941d0fed89724aef399efbe1d3ca58

SHA1
f4b7e4c9d9595f3a2245650c95446faee7d9e337

SHA256
a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5

SHA512
e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
Filesize
71KB

MD5
4d941d0fed89724aef399efbe1d3ca58

SHA1
f4b7e4c9d9595f3a2245650c95446faee7d9e337

SHA256
a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5

SHA512
e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe
Filesize
71KB

MD5
4d941d0fed89724aef399efbe1d3ca58

SHA1
f4b7e4c9d9595f3a2245650c95446faee7d9e337

SHA256
a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5

SHA512
e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dll
Filesize
53KB

MD5
b9512162ace5458c987df54281fef294

SHA1
59b400c57618866bbf64528c1c5325797a0f8907

SHA256
73f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828

SHA512
23456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508

Download Submit
\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dll
Filesize
121KB

MD5
79d2bf27cdff7d2787facee650a1162b

SHA1
85053a5045f793d5bb1e94a6b4090f5da503e85e

SHA256
c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1

SHA512
200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8

Download Submit
\Program Files\Gateway\SSLVPN\gwieplugin_1063472f6.dll
Filesize
208KB

MD5
e31a7fba086008e67136a2ad823731ed

SHA1
28e262bde6e67b47572c34079caca2c1203aa90b

SHA256
e16a314c1e0aef05a1c3fac65a2cb0122b4b65fdfca6cdca241e01a27006145c

SHA512
8d1d70216ac45fa163235e2e4591bec49aa326d3a3e3c761bb16e5dbac31b73efe627ff3eec6d75ca062e12f711628adc96da2a249c54fd6ddd890bbe3ef5af8

Download Submit
\Program Files\Gateway\SSLVPN\gwsso_1063482a6.dll
Filesize
137KB

MD5
ff658b3f65a9dc32b754fb91f6f47b3f

SHA1
4384db6590619244f2d9ec0dc82101cd61674620

SHA256
69178a7d19360f75324db98182441c756ba1a5ac7b1375f95ea7ae4bbeb41781

SHA512
cf848ed250a8d5d6df8756fea85d82db3586d5f0039b5e8d258878129e40426328372d57cd9ef8695eb453748fbe80785e2e1c88208608e72fbcd9eb4c4cc216

Download Submit
\Users\Admin\AppData\Local\Temp\gwtemp\gwupdater.dll
Filesize
237KB

MD5
c19d93253f6467231c2984abbcda95e7

SHA1
149e6cfec6eb8aff252189ca4f45881cf9b59327

SHA256
af319cc61a31810b5fb9e7471188251d1bf8e2b2a6200f1ad178856125d079fe

SHA512
d73e05d1a41dbdc541092d961ca8b6bf1d40875bf8412cc99ff422978efe1894967e69017e14f9d1d003d6de97613aaa411b4a1f0edcecddb950e4c43a938899

Download Submit
\Windows\System32\drivers\gwvnic.sys
Filesize
25KB

MD5
844884e9b552e84851b5bf7eafb56961

SHA1
da9fab5ea344c8293885172c62778e445d86064f

SHA256
77e58c97df9c42b41f85f08cae00dad9f68728b00f30fca8418e379977aa183e

SHA512
39a1315636ae81eae3e0454ee57de5f2c128de852dd8be24f8d1d3c2d0f54d53c3cc8f0c22cf348c0524b7106c99a6a05f8a2d41b73d8dbf8dbac2107f49f638

Download Submit
\Windows\System32\drivers\gwvnic.sys
Filesize
25KB

MD5
844884e9b552e84851b5bf7eafb56961

SHA1
da9fab5ea344c8293885172c62778e445d86064f

SHA256
77e58c97df9c42b41f85f08cae00dad9f68728b00f30fca8418e379977aa183e

SHA512
39a1315636ae81eae3e0454ee57de5f2c128de852dd8be24f8d1d3c2d0f54d53c3cc8f0c22cf348c0524b7106c99a6a05f8a2d41b73d8dbf8dbac2107f49f638

Download Submit
memory/1724-582-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1724-576-0x0000000002BB0000-0x0000000002CED000-memory.dmp

Filesize
1.2MB

Download
memory/1724-579-0x0000000003ED0000-0x0000000003F96000-memory.dmp

Filesize
792KB

Download
memory/1724-573-0x0000000002190000-0x00000000021ED000-memory.dmp

Filesize
372KB

Download
memory/2036-492-0x00000000004D0000-0x00000000004FE000-memory.dmp

Filesize
184KB

Download
memory/2036-502-0x00000000004D0000-0x00000000004ED000-memory.dmp

Filesize
116KB

Download
memory/2036-589-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/2036-590-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/2036-591-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/2036-592-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads