Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 05:51
Static task
static1
Behavioral task
behavioral1
Sample
GWSetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
GWSetup.exe
Resource
win10v2004-20230220-en
General
-
Target
GWSetup.exe
-
Size
3.8MB
-
MD5
8f839eb818419e2dd9f1cf17112ae04e
-
SHA1
851befe0e6182ab117131d9cbf0b7ebf1e168b2f
-
SHA256
866ffae3f045e05b9847d16463571c7ccf243b6e4deac3b4f8ee7ace094a5b9f
-
SHA512
8d0f513e23c4eb9b1296a61e4d13fdb4f232ee2d8a0188fc5f68b5583aacb3631ec8e3593c139c817affd566f54c078882851b7c3549f328c34d22fe4aa06119
-
SSDEEP
98304:j9/NV2Uvj+lyF7M2F/jVfAlSKCbmLqk/Uzgbk9OC3pPbCluuVJO:5n2ki6Ye+zpAXNZPmluuu
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 5 IoCs
Processes:
GWSetup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gwdevflt\ImagePath = "\\??\\C:\\Program Files\\Gateway\\SSLVPN\\gwdevflt.sys" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gwvsdflt\ImagePath = "\\??\\C:\\Program Files\\Gateway\\SSLVPN\\gwvsdflt.sys" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gwredirector\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\gwredirector.sys" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gwredirector6\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\gwredirector6.sys" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gwvdisk\ImagePath = "\\??\\C:\\Program Files\\Gateway\\SSLVPN\\gwvdisk.sys" GWSetup.exe -
Executes dropped EXE 2 IoCs
Processes:
gwupdater.exegwservice.exepid process 2088 gwupdater.exe 1516 gwservice.exe -
Loads dropped DLL 16 IoCs
Processes:
GWSetup.exeregsvr32.exeregsvr32.exegwservice.exepid process 4200 GWSetup.exe 4200 GWSetup.exe 4200 GWSetup.exe 3652 regsvr32.exe 4200 GWSetup.exe 4200 GWSetup.exe 4540 regsvr32.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe 1516 gwservice.exe -
Registers COM server for autorun 1 TTPs 14 IoCs
Processes:
regsvr32.exeregsvr32.exeGWSetup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ThreadingModel = "Apartment" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwsso_10634b31f.dll" GWSetup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwsso_10634b31f.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32 GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwieplugin_10634a39c.dll" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ThreadingModel = "Apartment" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ = "C:\\Program Files\\Gateway\\SSLVPN\\gwieplugin_10634a39c.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32 GWSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 10 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
GWSetup.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\ GWSetup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\ = "GWSSO BHO" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\NoExplorer = "1" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\NoExplorer = "1" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\ = "GWSSO BHO" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64} GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3} GWSetup.exe -
Drops file in Program Files directory 5 IoCs
Processes:
GWSetup.exegwservice.exedescription ioc process File created C:\Program Files\Gateway\SSLVPN\gwsso.dll GWSetup.exe File opened for modification C:\Program Files (x86)\Gateway\SSLVPN\route.original gwservice.exe File created C:\Program Files (x86)\Gateway\SSLVPN\package.conf GWSetup.exe File created C:\Program Files (x86)\Gateway\SSLVPN\gwsso.dll GWSetup.exe File opened for modification C:\Program Files (x86)\Gateway\SSLVPN\gwsso.dll GWSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
GWSetup.exeregsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\Implemented Categories GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\ = "IIeAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75D13E4F-3499-4097-9348-EDB521CDEB81}\ = "IWebSSO" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx\CLSID\ = "{100C2765-1362-4CCF-AB02-56D916BB8732}" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE632}" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032}\TypeLib\Version = "1.0" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481432}\TypeLib GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\TypeLib GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE664}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE632}\1.0\0 GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx\CLSID\ = "{100C2765-1362-4CCF-AB02-56D916BB8764}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE664}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE664}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\VersionIndependentProgID\ = "Gwieplug.IeAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO\CurVer\ = "GWSSO.BHO.1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\Programmable GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481432} GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\Programmable GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\0\win64 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\ProgID GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A2B7DF6-7E36-4A71-8169-D790C00DFCD3}\InprocServer32\ThreadingModel = "Apartment" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C509B8B-B74E-40C1-BACE-796614E67746}\1.0\FLAGS GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75D13E4F-3499-4097-9348-EDB521CDEB81}\TypeLib\ = "{6C509B8B-B74E-40C1-BACE-796614E67746}" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\InprocServer32\ThreadingModel = "Apartment" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\VersionIndependentProgID GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE632}\1.0\HELPDIR GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\ = "IWebSSO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8732}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE632}" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C509B8B-B74E-40C1-BACE-796614E67746}\1.0\0 GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75D13E4F-3499-4097-9348-EDB521CDEB81}\TypeLib\Version = "1.0" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\ProgID\ = "GWSSO.BHO.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx.1\ = "IeAx Class" GWSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764} GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\HELPDIR\ = "C:\\Program Files\\Gateway\\SSLVPN" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358032} GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EB482F9-4C37-445C-9134-BAB352CCE664}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ThreadingModel = "Apartment" GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO.1\ = "GWSSO BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GWSSO.BHO.1\CLSID\ = "{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81C08382-BF32-4576-BEC3-4A0B894AC55E}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx\CurVer\ = "Gwieplug.IeAx.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\TypeLib\ = "{81C08382-BF32-4576-BEC3-4A0B894AC55E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C97D0D6B-F762-4E58-BDB8-6384FC358064}\TypeLib\ = "{8EB482F9-4C37-445C-9134-BAB352CCE664}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B629149-D409-408F-868C-A4E9E3481464}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32 GWSetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE72892D-5FC9-4BF1-A09D-C5B59D4ECA64}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\TypeLib\ = "{81C08382-BF32-4576-BEC3-4A0B894AC55E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gwieplug.IeAx\CLSID GWSetup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{100C2765-1362-4CCF-AB02-56D916BB8764} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD0B40CC-84D5-4A6E-87D1-7793AD7E1F82}\TypeLib regsvr32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
GWSetup.exedescription pid process target process PID 4200 wrote to memory of 3652 4200 GWSetup.exe regsvr32.exe PID 4200 wrote to memory of 3652 4200 GWSetup.exe regsvr32.exe PID 4200 wrote to memory of 4540 4200 GWSetup.exe regsvr32.exe PID 4200 wrote to memory of 4540 4200 GWSetup.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GWSetup.exe"C:\Users\Admin\AppData\Local\Temp\GWSetup.exe"1⤵
- Sets service image path in registry
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Program Files\Gateway\SSLVPN\gwieplugin_10634a39c.dll" /s2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Program Files\Gateway\SSLVPN\gwsso_10634b31f.dll" /s2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
-
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe"C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exe"C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gateway\SSLVPN\gwclient.exeFilesize
2.0MB
MD5170a07f04d00835ea0798b559bf480fb
SHA11de033004a58370d6c150acb5dc02e5bbcfa4834
SHA25646b29b746773c85bdfaeff3a10299f5330f30e78636432393391f7386dbe8522
SHA512964859d53324cb0d43f93623d050e6073352a7cf9a877146622ab4c3f065142ad7998dcb9b5605793b5cca05de8914376b0e12efe3c8e8a9414aac58c501801b
-
C:\Program Files (x86)\Gateway\SSLVPN\gwendsecurity.dllFilesize
101KB
MD5b3842abc50dac91746ac5a99324017df
SHA1a2aeaf96e807cb277f2ba0933c4c81d0d0469f57
SHA256a7215f13228fff8463801517b8dfa6e436b2d7baf846d73f003d33afed03fb03
SHA5126962f5a62588579d2e1845c9d8c661ac447a6c005f1bcfc30fa24ae2b3901b1a34358c08d7e3e6938617dfd2710d066a4d92f82fc14bd941155da2b999db66ff
-
C:\Program Files (x86)\Gateway\SSLVPN\gwieplugin_10634a2a2.dllFilesize
153KB
MD53009e217f735dee8daf76ed57ff43943
SHA1566389e8c75b83e18927203919a77f2ed50cbd0e
SHA25641d63c1d6e1df99d4ff707bf50fb346cbec9142cfab3f64ff271364e9e88c259
SHA5128f723685fdb7b7dd678ae961bbdf9e2f147b5bd991cf7ba1967d92a75b7fd5b77319cea94c9e6fb5b4289fa7986dba7b8e9ba5d95febc71e4faa6f426b777c81
-
C:\Program Files (x86)\Gateway\SSLVPN\gwieplugin_10634a2a2.dllFilesize
153KB
MD53009e217f735dee8daf76ed57ff43943
SHA1566389e8c75b83e18927203919a77f2ed50cbd0e
SHA25641d63c1d6e1df99d4ff707bf50fb346cbec9142cfab3f64ff271364e9e88c259
SHA5128f723685fdb7b7dd678ae961bbdf9e2f147b5bd991cf7ba1967d92a75b7fd5b77319cea94c9e6fb5b4289fa7986dba7b8e9ba5d95febc71e4faa6f426b777c81
-
C:\Program Files (x86)\Gateway\SSLVPN\gwieplugin_10634a2a2.dllFilesize
153KB
MD53009e217f735dee8daf76ed57ff43943
SHA1566389e8c75b83e18927203919a77f2ed50cbd0e
SHA25641d63c1d6e1df99d4ff707bf50fb346cbec9142cfab3f64ff271364e9e88c259
SHA5128f723685fdb7b7dd678ae961bbdf9e2f147b5bd991cf7ba1967d92a75b7fd5b77319cea94c9e6fb5b4289fa7986dba7b8e9ba5d95febc71e4faa6f426b777c81
-
C:\Program Files (x86)\Gateway\SSLVPN\gwnc.dllFilesize
173KB
MD5c301aab3af80765b8f88782ec3b5fbfc
SHA17e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88
SHA256f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f
SHA51274bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966
-
C:\Program Files (x86)\Gateway\SSLVPN\gwnc.dllFilesize
173KB
MD5c301aab3af80765b8f88782ec3b5fbfc
SHA17e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88
SHA256f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f
SHA51274bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966
-
C:\Program Files (x86)\Gateway\SSLVPN\gwnc.dllFilesize
173KB
MD5c301aab3af80765b8f88782ec3b5fbfc
SHA17e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88
SHA256f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f
SHA51274bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966
-
C:\Program Files (x86)\Gateway\SSLVPN\gwnc.dllFilesize
173KB
MD5c301aab3af80765b8f88782ec3b5fbfc
SHA17e9b8aa773bfd1b9f91255944ad5e2e0aaab4d88
SHA256f4078d1498d9acc3cbd923c0da6f03540dc8204133d1e56ac513d6aa7458fa5f
SHA51274bf0f79f89bd64e8f334b35622b859654278afcba2905b311070c7369beb477bf2b5845150dbe6efb680681dd3715380b301c8c83dd79bc76ffd6ea0d4d1966
-
C:\Program Files (x86)\Gateway\SSLVPN\gwproxy.dllFilesize
181KB
MD5d9e38ffbf386b57c9d2020ada5258e2d
SHA182f91354eb5b014deea391631d055f921507c2d7
SHA256feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590
SHA5120a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7
-
C:\Program Files (x86)\Gateway\SSLVPN\gwproxy.dllFilesize
181KB
MD5d9e38ffbf386b57c9d2020ada5258e2d
SHA182f91354eb5b014deea391631d055f921507c2d7
SHA256feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590
SHA5120a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7
-
C:\Program Files (x86)\Gateway\SSLVPN\gwproxy.dllFilesize
181KB
MD5d9e38ffbf386b57c9d2020ada5258e2d
SHA182f91354eb5b014deea391631d055f921507c2d7
SHA256feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590
SHA5120a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7
-
C:\Program Files (x86)\Gateway\SSLVPN\gwproxy.dllFilesize
181KB
MD5d9e38ffbf386b57c9d2020ada5258e2d
SHA182f91354eb5b014deea391631d055f921507c2d7
SHA256feb5a87b5d0b532ef6721fe8c063dd5b111d3ee7c230662a1052717888497590
SHA5120a2d2e6883aa8f8a4379be80ba9b959c778e454ed7256ff89fd3b7da8b4806518f9aea791bb616f9fba29c23ea2ad8521d534a35e7a4241d89d07950aca9cff7
-
C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exeFilesize
71KB
MD505a6fc45c44dda6b5862d58d71a1163f
SHA1a9c369262912553068328140e7d8e014360a25bd
SHA256e0cc8ddf6adda4134f98300f37b8c989a59d99a28569523f2fe941bdf96706a3
SHA512f86e8e9752e118632a3560640ccb636498cf9181126144f7c8563bf6f648591a446b0620506b797626917515e9875a8a73c94f3727237fe80495f8cce27c6dcb
-
C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exeFilesize
71KB
MD505a6fc45c44dda6b5862d58d71a1163f
SHA1a9c369262912553068328140e7d8e014360a25bd
SHA256e0cc8ddf6adda4134f98300f37b8c989a59d99a28569523f2fe941bdf96706a3
SHA512f86e8e9752e118632a3560640ccb636498cf9181126144f7c8563bf6f648591a446b0620506b797626917515e9875a8a73c94f3727237fe80495f8cce27c6dcb
-
C:\Program Files (x86)\Gateway\SSLVPN\gwservice.exeFilesize
71KB
MD505a6fc45c44dda6b5862d58d71a1163f
SHA1a9c369262912553068328140e7d8e014360a25bd
SHA256e0cc8ddf6adda4134f98300f37b8c989a59d99a28569523f2fe941bdf96706a3
SHA512f86e8e9752e118632a3560640ccb636498cf9181126144f7c8563bf6f648591a446b0620506b797626917515e9875a8a73c94f3727237fe80495f8cce27c6dcb
-
C:\Program Files (x86)\Gateway\SSLVPN\gwsession.dllFilesize
249KB
MD513646bdb256c438aa0d8ba30d1a2d014
SHA1eb9c7665d88e1812e6d966825d4b7849f3ac3e01
SHA256a9a769248403702ad3a0b34be4984fc3be46aa55c0937fcec9561703dca52b73
SHA512b82a8c21fb68bedd5a22425d5e08eb7aaee3c805d99305c6c9f7aec626ce26596324194907ac2835c8d421f148483d142c51631df683e756f4a9cbf951536de4
-
C:\Program Files (x86)\Gateway\SSLVPN\gwsession.dllFilesize
249KB
MD513646bdb256c438aa0d8ba30d1a2d014
SHA1eb9c7665d88e1812e6d966825d4b7849f3ac3e01
SHA256a9a769248403702ad3a0b34be4984fc3be46aa55c0937fcec9561703dca52b73
SHA512b82a8c21fb68bedd5a22425d5e08eb7aaee3c805d99305c6c9f7aec626ce26596324194907ac2835c8d421f148483d142c51631df683e756f4a9cbf951536de4
-
C:\Program Files (x86)\Gateway\SSLVPN\gwsession.dllFilesize
249KB
MD513646bdb256c438aa0d8ba30d1a2d014
SHA1eb9c7665d88e1812e6d966825d4b7849f3ac3e01
SHA256a9a769248403702ad3a0b34be4984fc3be46aa55c0937fcec9561703dca52b73
SHA512b82a8c21fb68bedd5a22425d5e08eb7aaee3c805d99305c6c9f7aec626ce26596324194907ac2835c8d421f148483d142c51631df683e756f4a9cbf951536de4
-
C:\Program Files (x86)\Gateway\SSLVPN\gwsso_10634b273.dllFilesize
105KB
MD55476dd5368a016d77c985ac383c0df68
SHA121f472bd0b362abbfba4eb71e001fa74293b4d42
SHA2563160955ed3d0467d8357359fcf1e7cf2551171d0df8165b66b9e05c6a4a49e4b
SHA5120dfcbe68bbfc6fc1e03374333209d5060d2dd7ad1862e546ac83e3bb2ef445c7b94813535dd97613454dbecbff8bc555a480cef333c1c9cf8ee7133f282a0ad2
-
C:\Program Files (x86)\Gateway\SSLVPN\gwsso_10634b273.dllFilesize
105KB
MD55476dd5368a016d77c985ac383c0df68
SHA121f472bd0b362abbfba4eb71e001fa74293b4d42
SHA2563160955ed3d0467d8357359fcf1e7cf2551171d0df8165b66b9e05c6a4a49e4b
SHA5120dfcbe68bbfc6fc1e03374333209d5060d2dd7ad1862e546ac83e3bb2ef445c7b94813535dd97613454dbecbff8bc555a480cef333c1c9cf8ee7133f282a0ad2
-
C:\Program Files (x86)\Gateway\SSLVPN\gwsso_10634b273.dllFilesize
105KB
MD55476dd5368a016d77c985ac383c0df68
SHA121f472bd0b362abbfba4eb71e001fa74293b4d42
SHA2563160955ed3d0467d8357359fcf1e7cf2551171d0df8165b66b9e05c6a4a49e4b
SHA5120dfcbe68bbfc6fc1e03374333209d5060d2dd7ad1862e546ac83e3bb2ef445c7b94813535dd97613454dbecbff8bc555a480cef333c1c9cf8ee7133f282a0ad2
-
C:\Program Files (x86)\Gateway\SSLVPN\gwstub.exeFilesize
145KB
MD5e8774b3c9e61e95072b9880379185771
SHA1da6ecc74624204ccb088c99304b98a603847f441
SHA256d20867cfae171f50d499c39bb435d2f79feb1368dd8ca168c31fd88006f09377
SHA512a50aaf0fe9ee3cebb903a6110fdc5605e9a4599c15fe17aa485a9899e23c69232ea40226ec17d3ac0bdcb09b2bb0e79b14c678e434e11bd23d13337baa19ec2f
-
C:\Program Files (x86)\Gateway\SSLVPN\gwtrayclient.exeFilesize
81KB
MD50173f1ae0f03a0c5c858077cd0306d51
SHA1ecadc1b52b2065cf2788df933fa90cd7b6b8c785
SHA25642e43c7302e6510c917a8232d6e20ec2f9150cbb500394e013b7d50deae4aab7
SHA512d181e6446607429fdf871aea406c6e7a39bcec1cac75200ac4dda98f325180416beaf4bff433d5063e63c148fa256feae5139777d04ac538a44351a9974e1bb0
-
C:\Program Files (x86)\Gateway\SSLVPN\gwuimng.dllFilesize
333KB
MD5fe543746a3e27da323305622bfe6c6fe
SHA127afaa28f119ac85e58c91793d37925f393ae55a
SHA2560cf2bf9c215e9b5e82d1af576ba52d99c194ddcf5b7ce3d03a8787a02b6fb637
SHA512e99b3b32670656e46448c0cc71f63ea856e2a8d7d30c585b2bb069ad4ecf2f07d3be222426e532d1a42a09b6f43fb793282a2dd08b41c0ffb1c298b71fb43fcc
-
C:\Program Files (x86)\Gateway\SSLVPN\gwuninstall.exeFilesize
47KB
MD56de6bc0b185de842214f3de264643299
SHA1d3e1f819ab07905ed0540364c2b41883d05ded22
SHA2560ec2d646c818687e27e081c2b06ef309511dd5426c9c3841973969ffaf06e155
SHA512872e0d1f8375008b3556eed99235943d379962f12fc02af113cc463abdf6d6cf2241b6fb64420e592208af72461f8b2f499d3a3f4c8b068c347aba39462f1c25
-
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exeFilesize
71KB
MD54d941d0fed89724aef399efbe1d3ca58
SHA1f4b7e4c9d9595f3a2245650c95446faee7d9e337
SHA256a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5
SHA512e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25
-
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exeFilesize
71KB
MD54d941d0fed89724aef399efbe1d3ca58
SHA1f4b7e4c9d9595f3a2245650c95446faee7d9e337
SHA256a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5
SHA512e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25
-
C:\Program Files (x86)\Gateway\SSLVPN\gwupdater.exeFilesize
71KB
MD54d941d0fed89724aef399efbe1d3ca58
SHA1f4b7e4c9d9595f3a2245650c95446faee7d9e337
SHA256a688d3529a2876d69fb8765ea626a0b64ce6cf0bba33aa55c8d0a7c06823f5b5
SHA512e0c62eaeac7514c211ffc2459c8db8936077d09e9a2d37c58e55bebff77a9287197ef08227aa0a8762010157cc1e20ebce80c066c0b53209376d5d7027ca9b25
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dllFilesize
53KB
MD5b9512162ace5458c987df54281fef294
SHA159b400c57618866bbf64528c1c5325797a0f8907
SHA25673f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828
SHA51223456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dllFilesize
53KB
MD5b9512162ace5458c987df54281fef294
SHA159b400c57618866bbf64528c1c5325797a0f8907
SHA25673f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828
SHA51223456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dllFilesize
53KB
MD5b9512162ace5458c987df54281fef294
SHA159b400c57618866bbf64528c1c5325797a0f8907
SHA25673f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828
SHA51223456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvdiskctrl.dllFilesize
53KB
MD5b9512162ace5458c987df54281fef294
SHA159b400c57618866bbf64528c1c5325797a0f8907
SHA25673f7ee8b57abaaeb9302d23a5828fffd4ed55680f5c2ffbae163b2a1f5886828
SHA51223456176b4caf6889ecf8cc06eae68f50d7288df70c46f5efebe627ee609f7f799516dd2fd3a231c877eedb005339415fdc66b4a2982db80191b4a3fbc4dd508
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdctrl.dllFilesize
68KB
MD5fbdce60453c5ae99c7b5445d4e17fa2a
SHA12a2cb54dd9d8ef5cf75f56c55618f2e530848eac
SHA2565267f70028ef3c99390ef9da6a5e6d3e86affc89a86f9d4dbd261ed29183bff4
SHA512d9172fe5ca062008b91afc650250194d04e21edd27115383e80d8d193d359066d6ffc52b9a0099cb4259c2777fb88088a1bbb98ad3449a07b2b5eb1133420bf1
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dllFilesize
121KB
MD579d2bf27cdff7d2787facee650a1162b
SHA185053a5045f793d5bb1e94a6b4090f5da503e85e
SHA256c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1
SHA512200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dllFilesize
121KB
MD579d2bf27cdff7d2787facee650a1162b
SHA185053a5045f793d5bb1e94a6b4090f5da503e85e
SHA256c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1
SHA512200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dllFilesize
121KB
MD579d2bf27cdff7d2787facee650a1162b
SHA185053a5045f793d5bb1e94a6b4090f5da503e85e
SHA256c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1
SHA512200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8
-
C:\Program Files (x86)\Gateway\SSLVPN\gwvsdserver.dllFilesize
121KB
MD579d2bf27cdff7d2787facee650a1162b
SHA185053a5045f793d5bb1e94a6b4090f5da503e85e
SHA256c1be649a799378c03afee740994828ead53a34cfbe44faf0fd97ce426bc417d1
SHA512200c8f9d7737b5daa7f531c1291f48b5fee1e82cf17013365d036f8f132152c0087814c1e7c99d0c4a3c46306cff9c9c9752aa95df84c71afcefca39c334f0d8
-
C:\Program Files (x86)\Gateway\SSLVPN\libeay32_1.dllFilesize
1.2MB
MD5542eb526d2dcd2940b7849b456bf91ba
SHA1c8ce55bfd160cb58fd3fcc040e954fbb62851675
SHA256ea1a9150ce8507ec4362bd6498d52230c893ff3a7ccbd3a0b791a3b51ffa8b1c
SHA512415192df5b083727b96cc1d8d0a936f9d19d3d5a7194ffdfb6bb6b44fa3256e88081cdcb105a00d93c096523274afca0e49bc5d0662256ff9373420df6d02c89
-
C:\Program Files (x86)\Gateway\SSLVPN\smxengine.dllFilesize
33KB
MD53dde8a8520d0caf3343e022b929d63da
SHA1d2682c62e5010bb6c919bd9b5d5be8dd533e4c4f
SHA2565a4907e21b6d9934986a492b3ffc7e7e33686c5120b84ee7175384a05a5c7f38
SHA512a6ef389e1d9c4b3f60ceeec987ff202420fd4f55115fc57c7a4ad55fc7f3a01c814f66e31fd38e85fca33e3e6eec485993a55da87da613d32bbb6ba27761dba7
-
C:\Program Files (x86)\Gateway\SSLVPN\ssleay32_1.dllFilesize
277KB
MD5b33814f28eb5c63481a9956888897875
SHA17ce405afadadd885d96b414711d41591118694a0
SHA256b722ced316f618001008f57487ea0affe0303e86478ba6ec4590ac10adc931cf
SHA5129c2a831082f067275c1b14fd06e8db69dba59cd2831baebaf588551b84598901c358f7c8a09beb48d38f645010c16a4ea675d9a21b9e01aa0e6789de18c4bc9e
-
C:\Program Files (x86)\Gateway\SSLVPN\vsdagent.exeFilesize
36KB
MD5e49b805a67af4d79c9ee5070a82253e6
SHA17eda2972c3ed12aa6d0c785596f9bce6a99469e3
SHA256f754f332810edaffb653f3eb5e527d90e98cf956b86a310cc7d6d8eba3351924
SHA512456240cb9a3e9a73adecb8d76111aaa10b62cbbceaf4d67a28ec5a477f2922754b2d2623e353f02225c3afecb0d4d2d0dfee244ffb180333b58f5e913bdc4d60
-
C:\Program Files\Gateway\SSLVPN\NetFltInstaller.exeFilesize
70KB
MD5afecd31ca8099e05ea4b276f29027c8f
SHA14d517f11bcc1a77bf6b256ed69a2bc26f67e14fc
SHA256143ad22bec182da9ede703cf71dcbfdec05c14519a04c37c9301a60aac1cf10a
SHA5126931cbdbf31cc6409da053a8b17a33e98309561b4d93f5a9d7ff1601dc669b8266004153acc356980c7dce8f6a85044c82e79c1e63096666359fe93fae94c369
-
C:\Program Files\Gateway\SSLVPN\gwdevflt.sysFilesize
22KB
MD5452b2daa7cf4a9441cb28ab6fd3bc22f
SHA14748810ba4599c1d3fd71295878f6e0e89cfe41b
SHA256abc9bbd3fd51ff859b2cfed69586b30ba95efcb72fe48ce5466c54e875778475
SHA512f5b4ac12c1523803ef9b848db05320ef75c109218800445b845bd2fe67f7a7ed2e2f805d802e84297b23531576431ba7dca34851ba95d42a456aaa0139fe5eda
-
C:\Program Files\Gateway\SSLVPN\gwieplugin_10634a39c.dllFilesize
208KB
MD5e31a7fba086008e67136a2ad823731ed
SHA128e262bde6e67b47572c34079caca2c1203aa90b
SHA256e16a314c1e0aef05a1c3fac65a2cb0122b4b65fdfca6cdca241e01a27006145c
SHA5128d1d70216ac45fa163235e2e4591bec49aa326d3a3e3c761bb16e5dbac31b73efe627ff3eec6d75ca062e12f711628adc96da2a249c54fd6ddd890bbe3ef5af8
-
C:\Program Files\Gateway\SSLVPN\gwieplugin_10634a39c.dllFilesize
208KB
MD5e31a7fba086008e67136a2ad823731ed
SHA128e262bde6e67b47572c34079caca2c1203aa90b
SHA256e16a314c1e0aef05a1c3fac65a2cb0122b4b65fdfca6cdca241e01a27006145c
SHA5128d1d70216ac45fa163235e2e4591bec49aa326d3a3e3c761bb16e5dbac31b73efe627ff3eec6d75ca062e12f711628adc96da2a249c54fd6ddd890bbe3ef5af8
-
C:\Program Files\Gateway\SSLVPN\gwieplugin_10634a39c.dllFilesize
208KB
MD5e31a7fba086008e67136a2ad823731ed
SHA128e262bde6e67b47572c34079caca2c1203aa90b
SHA256e16a314c1e0aef05a1c3fac65a2cb0122b4b65fdfca6cdca241e01a27006145c
SHA5128d1d70216ac45fa163235e2e4591bec49aa326d3a3e3c761bb16e5dbac31b73efe627ff3eec6d75ca062e12f711628adc96da2a249c54fd6ddd890bbe3ef5af8
-
C:\Program Files\Gateway\SSLVPN\gwnetflt.catFilesize
8KB
MD587bbda53b668f653deff3f822f51863d
SHA13291b98abf7071f2dc6f38848997b081425ed484
SHA2560079a76ebb09397fbdb91fc748a6dbe0f5879a079ee47b7dd8e3bf7b5adab9f2
SHA512929cd53673aff570d0c5b100a91b84c3e939a7290256db007ae65ac234b7736c6ef6996b1d5a0bd0c013829e0d51e86c7bd6bb296da2e19336368d6c378da1ed
-
C:\Program Files\Gateway\SSLVPN\gwnetflt.sysFilesize
28KB
MD521c12e94d39a15ecf6be17728ace2ee6
SHA1b0a39d943fdf5ad3c3d5ff4d39ea072218a686ec
SHA25675fc1a85156a01b61e0e96bcb02027a5eb65f1734ea31976693a1a5cf958ca3c
SHA512747e19c55d7e968c5d66c82463441bd38d8c8df8d4f2b20ce4bc5adf3f6d9bbe1be337da893388983273d1a041f00883f313ed6380859d2e3b3d7e574428855f
-
C:\Program Files\Gateway\SSLVPN\gwnetflt_m.catFilesize
7KB
MD5d157f3650a4b615425a9594f121fe23e
SHA1248650339724b4b734172ebcb5ff1591486ff80a
SHA2567ce0e109102454c33d3ee7113f4936ff4de6cda599b32cf7d997d960cf9f6989
SHA5126e110317ded74cecaa59f2f0f2f0f6d0193295add4124eb7abdc294a3803c9231a4eff6a3e0d96ff26ed6baf807d027cd7327f967cbd64c159eabef122152b82
-
C:\Program Files\Gateway\SSLVPN\gwsso_10634b31f.dllFilesize
137KB
MD5ff658b3f65a9dc32b754fb91f6f47b3f
SHA14384db6590619244f2d9ec0dc82101cd61674620
SHA25669178a7d19360f75324db98182441c756ba1a5ac7b1375f95ea7ae4bbeb41781
SHA512cf848ed250a8d5d6df8756fea85d82db3586d5f0039b5e8d258878129e40426328372d57cd9ef8695eb453748fbe80785e2e1c88208608e72fbcd9eb4c4cc216
-
C:\Program Files\Gateway\SSLVPN\gwsso_10634b31f.dllFilesize
137KB
MD5ff658b3f65a9dc32b754fb91f6f47b3f
SHA14384db6590619244f2d9ec0dc82101cd61674620
SHA25669178a7d19360f75324db98182441c756ba1a5ac7b1375f95ea7ae4bbeb41781
SHA512cf848ed250a8d5d6df8756fea85d82db3586d5f0039b5e8d258878129e40426328372d57cd9ef8695eb453748fbe80785e2e1c88208608e72fbcd9eb4c4cc216
-
C:\Program Files\Gateway\SSLVPN\gwsso_10634b31f.dllFilesize
137KB
MD5ff658b3f65a9dc32b754fb91f6f47b3f
SHA14384db6590619244f2d9ec0dc82101cd61674620
SHA25669178a7d19360f75324db98182441c756ba1a5ac7b1375f95ea7ae4bbeb41781
SHA512cf848ed250a8d5d6df8756fea85d82db3586d5f0039b5e8d258878129e40426328372d57cd9ef8695eb453748fbe80785e2e1c88208608e72fbcd9eb4c4cc216
-
C:\Program Files\Gateway\SSLVPN\gwstub.exeFilesize
148KB
MD5a75f36764b561f729cc6f3aacebdb981
SHA1e1f19ff64e79f0dd06e5bf3bb190d64d7d862063
SHA256e8b38628f92ad8f70b5b7113667d68f5f892ae6e0eefbb5bb03a920176a13a94
SHA512b4ea110c92aa6dd4741c437fffbabbe2f8d8f17fc6c12fdbff49c9515e3e718de32243dadb30f87b5d486915773360ce620c496259a84c7443abafb99686be70
-
C:\Program Files\Gateway\SSLVPN\gwuimng.dllFilesize
342KB
MD5787e3225503010165c0be2ba8b832c36
SHA1541dec84adf9057f869b89f2d5667e6c38e66249
SHA256cf744664a29fb9cbd81d73b4621c31b6e6d8c0107d55d11a3babdda07ea70d50
SHA512569d0bb84c624eac42a343edb54dcf30786bf958cd925309f33ae63cdd79a8e593a20c12b3a82d6f12e2a0922955d486b5a1caf2109a511da9001bb46adada62
-
C:\Program Files\Gateway\SSLVPN\gwvdisk.sysFilesize
43KB
MD5dfdb967183808e18d30ab4ac2973f5cf
SHA10b1408cdecd6d0ad49716fff8c138ef65564e642
SHA2563041ef0ccddc7dd2f4fb9853014685c9a8b900828f986bc92c29858700b9facb
SHA5121fddc91fe654b6c5c7129916dc5f3a166abff55f930b9f06bec1210d3d1acb8ad07b92ff42e69c21fa9c19e6d68503241544afe5f31b35e8c92b5cc4221f565b
-
C:\Program Files\Gateway\SSLVPN\gwvsdflt.sysFilesize
29KB
MD52d036f5327c849656915d0d032df91bb
SHA15929752a61db4def916aceed8657c0fe37fe8465
SHA256874887c622a613da8a1b911e198d99d461c476779cd98f393bc2c60427bb6348
SHA5123dbbe0260be0c5c01eb1e62104d2a77687ed0675f972c8810f4c61ff1c7e595bbebcc55f14247cb3c3d8efa9d4286119fa76c1f7432ea9be3ee15ceb0e6b81d9
-
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwhook.sys.64Filesize
4KB
MD57b7a56233922636ee8e41f4e18f1d2da
SHA1d47c5b016f9905afc84499ae99b40a9ccbb868d3
SHA256bbc46848dc0ea4e3aa9647eace832005711193ef1807381df2711ad2d21e42a3
SHA512a15720cd702cdd1bd925ec7b707306bc6512b75fe63c60f917fa6d03c31a8e609774ac676cd17a74a39732af8044bb21966420fb8674d479fb8b201f06c8dbe1
-
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwnetflt.inf.64Filesize
5KB
MD51a276ca58360cdf3970a0102effd1bbc
SHA1e899d85c090111246ace2cd6b6a29581a84152cc
SHA2569aa81a543be53012c8d19dc3520ce6a1b6adf01ae5a8609e567fae27328fa6e5
SHA5121aa5f47e667e7ebc041531d7dfcbdd6455033f7018ec94c6ee77ba116751e14f45336d4575bb2dd07f20dcd3d2eb6a1ba42d9011e195335d36e0834cd57ae5b1
-
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwnetflt_m.inf.64Filesize
2KB
MD52bd235b452120e1cb6e9f12404d5344a
SHA11258064dfd9c734df9e98b8c3667f3374dc8af85
SHA2561e1f1d15350512720a6c9e7bb890fc23d49d7136c1b9aadc09e1135e2aeaaf8f
SHA512f707a166930e8cb2f0a3712b9777582c763458ad78ef2fad27fca31bf9bbd1dedd6ab2622b01a9a9c30f0f0f08c047dbf3ab9d1bd9f0c00f1d182b18e1b9f53e
-
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwupdater.dllFilesize
237KB
MD5c19d93253f6467231c2984abbcda95e7
SHA1149e6cfec6eb8aff252189ca4f45881cf9b59327
SHA256af319cc61a31810b5fb9e7471188251d1bf8e2b2a6200f1ad178856125d079fe
SHA512d73e05d1a41dbdc541092d961ca8b6bf1d40875bf8412cc99ff422978efe1894967e69017e14f9d1d003d6de97613aaa411b4a1f0edcecddb950e4c43a938899
-
C:\Users\Admin\AppData\Local\Temp\gwtemp\gwupdater.dllFilesize
237KB
MD5c19d93253f6467231c2984abbcda95e7
SHA1149e6cfec6eb8aff252189ca4f45881cf9b59327
SHA256af319cc61a31810b5fb9e7471188251d1bf8e2b2a6200f1ad178856125d079fe
SHA512d73e05d1a41dbdc541092d961ca8b6bf1d40875bf8412cc99ff422978efe1894967e69017e14f9d1d003d6de97613aaa411b4a1f0edcecddb950e4c43a938899
-
C:\Users\Admin\AppData\Local\Temp\gwtemp\package.confFilesize
21KB
MD5e2923e6c7a9f95fd3602dc79b970a26c
SHA14c3c6a7ba280063bf805f8097b33295412f9afb0
SHA256a90021eb915eb2e764d6e0811fd97db7877c189dcdef2a50008a42df2772614b
SHA512e7b7834c5911bf95bb14ce3fa82057d9bc64a00565d2b0135af520fc579192d83a7750d667b4e3a0db621e31f64c5986709b66eceb65d0551eef065d8326b916
-
C:\Windows\System32\drivers\devcon.exeFilesize
97KB
MD5e32ed7a8eba0a364a9937ad9adf5e3d9
SHA1ee5da4577cf82888a556417dfe255df044bae33a
SHA256ea755f622519053f69846896b308c390a6a382fbc976e0654af215ef263ac49a
SHA512c86d2aae2da5e11fd6f35759e8c891881d4a5bbf89f41e011dac9421d4932d9dc1a42c7863044d105b00ba907f5b19fc298d3d1c818943a516222f5b3fdcbd51
-
C:\Windows\System32\drivers\gwredirector.sysFilesize
18KB
MD58f358f5cbda411a507ebef4617738449
SHA11478f92b70615ef09d6a8d1d2795e83fb834eaf8
SHA2569dde826cf70d78ca1468435e52a21e89b197b56882ee49f9da93945b18677a6e
SHA5125ae294aa940377d265b0503731d16d95eada8cf5aee752eba0fbb5bb969d53294ab46ec7954aaf8eda4f5af4d47acc7c76e46f10e5854d2b02d4ea5870668a41
-
C:\Windows\System32\drivers\gwredirector6.sysFilesize
18KB
MD5c513112ef7257f51b9cab1e12b9182a8
SHA17f10f29354dc08c26e4a4abbc9986fef1c227b95
SHA25695485d3ed61334d9e4754de62fdd7d5eef605224d4d7472b5a7baee3e8cbf71a
SHA512d9d78328e535f62571bf88d7f026bed6c8e506733148f64cc92491ef9a0a9018143b8e422746fea5dd39ffa069916d9fad0270cd54c5b6962189e4af46257115
-
C:\Windows\System32\drivers\gwvnic.catFilesize
8KB
MD5c8127b034e8d45eaa6891ed5dbbbe2e5
SHA124e3aae092f310c07947e2ca196ecfb6a1dace60
SHA25610fc51edec95a3a2610c2d382e11a87199b0cc4d86dd01543644fe82e989e4c8
SHA512ac3a8c146f6939d2e02b0dc0cad9f89eabe92704ed8752008fea21069ee9458718ff8c11815a9d8b297b9f79addc5177d07fae9004f05bee5203a7babfdb9514
-
C:\Windows\System32\drivers\gwvnic.infFilesize
1KB
MD56818e12e050f56a7e01386891358ec4a
SHA1f0a135f48011635c088d91c4cca8a9dd2087da8e
SHA25699a96116a981ab6854abb0d12719ecbe3874d58223bb1b2da0b8d35edb6670ee
SHA512fca20dc34dc9c62ad3c37bb37f2e846c0c32ce491b13a7ad9d35e012ec0f4ced9be2177947554270a1fdbbe50d5ca5b058617d5e8398b3e28a24d701c1cb57ef
-
C:\Windows\System32\drivers\gwvnic.sysFilesize
25KB
MD5844884e9b552e84851b5bf7eafb56961
SHA1da9fab5ea344c8293885172c62778e445d86064f
SHA25677e58c97df9c42b41f85f08cae00dad9f68728b00f30fca8418e379977aa183e
SHA51239a1315636ae81eae3e0454ee57de5f2c128de852dd8be24f8d1d3c2d0f54d53c3cc8f0c22cf348c0524b7106c99a6a05f8a2d41b73d8dbf8dbac2107f49f638
-
memory/1516-655-0x0000000001EC0000-0x0000000001F1D000-memory.dmpFilesize
372KB
-
memory/1516-663-0x0000000002B20000-0x0000000002BE6000-memory.dmpFilesize
792KB
-
memory/1516-667-0x0000000000760000-0x000000000076C000-memory.dmpFilesize
48KB
-
memory/1516-659-0x0000000002360000-0x000000000249D000-memory.dmpFilesize
1.2MB
-
memory/4200-574-0x0000000003370000-0x000000000339E000-memory.dmpFilesize
184KB
-
memory/4200-587-0x0000000003370000-0x000000000338D000-memory.dmpFilesize
116KB