Analysis
-
max time kernel
317s -
max time network
319s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
GlobalProtect64.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
GlobalProtect64.msi
Resource
win10v2004-20231215-en
General
-
Target
GlobalProtect64.msi
-
Size
146.6MB
-
MD5
9439176ef49420d5f408ee9387297988
-
SHA1
b3feeb18c62089147cd7f25c9dcfd645f89ff6ec
-
SHA256
bfdfef5780bbc10ad826e9ae3039fb04434ac02a16d86b8ab6be89eedf48d770
-
SHA512
06c97edfe8cd33325f35c5d757d7d45557263f96df0778c9600dc923845176ab9192cd1393b96914139b074e96850f1b549cabc65d703e0e1341a5660b0f5a61
-
SSDEEP
3145728:HcsxNSn9OR7owDYqEa/7zFBQsrQzxY6hqb5VaBVnlBcRiN:H/xNDlowDYqE47PQsrQCXVIR2RiN
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
PanGPS.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\pangpd.sys PanGPS.exe File opened for modification C:\Windows\system32\DRIVERS\SETB7C8.tmp PanGPS.exe File created C:\Windows\system32\DRIVERS\SETB7C8.tmp PanGPS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GlobalProtect = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\"" msiexec.exe -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 9 4688 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
PanGPS.exeDrvInst.exemsiexec.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF PanGPS.exe File created C:\Windows\system32\PanCredProv.dll msiexec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c}\SETA7AD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF PanGPS.exe File created C:\Windows\system32\PanPlapProvider.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c}\SETA7AC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c}\pangpd.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c}\pangpd.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_81bff1eb756435c6\rndiscmp.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c}\SETA7AC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dc308162-2928-784b-a592-183c652e5d8c}\pangpd64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.PNF PanGPS.exe File created C:\Windows\system32\PanV2CredProv.dll msiexec.exe -
Drops file in Program Files directory 61 IoCs
Processes:
msiexec.exePanGPS.exePanGPS.exedescription ioc process File created C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00001.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\res\Panw-Logo.png msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap1.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap2.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_stop.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_busy.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.cat msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\res\help.chm msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\close3.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00003.bmp msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\license.cfg msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\uninstall.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\close2.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.inf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd64.cat msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok_msg.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\close1.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_event.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanMSAgent.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.cat msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanSupport.ico msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
PanGPS.exemsiexec.exedescription ioc process File created C:\Windows\INF\lsi_sas2i.PNF PanGPS.exe File created C:\Windows\INF\netserv.PNF PanGPS.exe File created C:\Windows\INF\sensorsalsdriver.PNF PanGPS.exe File created C:\Windows\INF\wave.PNF PanGPS.exe File created C:\Windows\INF\mdmar1.PNF PanGPS.exe File created C:\Windows\INF\mdmiodat.PNF PanGPS.exe File created C:\Windows\INF\mdmusrf.PNF PanGPS.exe File created C:\Windows\INF\net1ic64.PNF PanGPS.exe File created C:\Windows\INF\mdmgl005.PNF PanGPS.exe File created C:\Windows\INF\mdmmc288.PNF PanGPS.exe File created C:\Windows\INF\netvf63a.PNF PanGPS.exe File created C:\Windows\INF\mdmtdkj4.PNF PanGPS.exe File created C:\Windows\INF\multiprt.PNF PanGPS.exe File created C:\Windows\INF\wvmbusvideo.PNF PanGPS.exe File created C:\Windows\INF\usbncm.PNF PanGPS.exe File created C:\Windows\INF\c_usbdevice.PNF PanGPS.exe File created C:\Windows\INF\mchgr.PNF PanGPS.exe File created C:\Windows\INF\rawsilo.PNF PanGPS.exe File created C:\Windows\INF\stexstor.PNF PanGPS.exe File created C:\Windows\INF\netirda.PNF PanGPS.exe File created C:\Windows\INF\netloop.PNF PanGPS.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF PanGPS.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF PanGPS.exe File created C:\Windows\INF\wpdmtp.PNF PanGPS.exe File created C:\Windows\INF\netip6.PNF PanGPS.exe File created C:\Windows\INF\netnvma.PNF PanGPS.exe File created C:\Windows\INF\lsi_sss.PNF PanGPS.exe File created C:\Windows\INF\mdmgl010.PNF PanGPS.exe File created C:\Windows\INF\mdmkortx.PNF PanGPS.exe File created C:\Windows\INF\ndisimplatform.PNF PanGPS.exe File created C:\Windows\INF\BthOob.PNF PanGPS.exe File created C:\Windows\INF\c_sensor.PNF PanGPS.exe File created C:\Windows\INF\dc21x4vm.PNF PanGPS.exe File created C:\Windows\INF\mdminfot.PNF PanGPS.exe File created C:\Windows\INF\prnms005.PNF PanGPS.exe File created C:\Windows\Installer\{654C71C3-9449-4BCD-8AE3-06648507751C}\_6B6AE9FA905AF8B5D22E71.exe msiexec.exe File created C:\Windows\INF\3ware.PNF PanGPS.exe File created C:\Windows\INF\mdmcomp.PNF PanGPS.exe File created C:\Windows\INF\mdmmega.PNF PanGPS.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\INF\c_ports.PNF PanGPS.exe File created C:\Windows\INF\mdmolic.PNF PanGPS.exe File created C:\Windows\INF\netsstpa.PNF PanGPS.exe File created C:\Windows\INF\microsoft_bluetooth_a2dp_snk.PNF PanGPS.exe File created C:\Windows\INF\c_barcodescanner.PNF PanGPS.exe File created C:\Windows\INF\halextintclpiodma.PNF PanGPS.exe File created C:\Windows\INF\mdmnova.PNF PanGPS.exe File created C:\Windows\INF\mdmpenr.PNF PanGPS.exe File created C:\Windows\INF\xboxgipsynthetic.PNF PanGPS.exe File created C:\Windows\INF\c_wceusbs.PNF PanGPS.exe File created C:\Windows\INF\ehstorpwddrv.PNF PanGPS.exe File created C:\Windows\INF\mdmtdkj6.PNF PanGPS.exe File created C:\Windows\INF\v_mscdsc.PNF PanGPS.exe File created C:\Windows\INF\wsdscdrv.PNF PanGPS.exe File created C:\Windows\INF\c_fshsm.PNF PanGPS.exe File created C:\Windows\INF\mdmgl006.PNF PanGPS.exe File created C:\Windows\INF\miradisp.PNF PanGPS.exe File created C:\Windows\INF\netwtw02.PNF PanGPS.exe File created C:\Windows\INF\mdmdp2.PNF PanGPS.exe File created C:\Windows\INF\mdmgen.PNF PanGPS.exe File created C:\Windows\INF\mdmmts.PNF PanGPS.exe File created C:\Windows\INF\ndiscap.PNF PanGPS.exe File created C:\Windows\INF\ntprint.PNF PanGPS.exe File created C:\Windows\INF\c_avc.PNF PanGPS.exe -
Executes dropped EXE 5 IoCs
Processes:
PanGPS.exePanGPS.exePanGPA.exePanGPA.exePanGPSupport.exepid process 1604 PanGPS.exe 1772 PanGPS.exe 2972 PanGPA.exe 464 PanGPA.exe 672 PanGPSupport.exe -
Loads dropped DLL 2 IoCs
Processes:
PanGPS.exePanGPS.exepid process 1604 PanGPS.exe 1772 PanGPS.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
PanGPS.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32 PanGPS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ = "PanV2CredProv.dll" PanGPS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ThreadingModel = "Apartment" PanGPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 51 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exeDrvInst.exePanGPS.exesvchost.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service PanGPS.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service PanGPS.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 1600 ipconfig.exe 3688 netstat.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
PanGPS.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000" PanGPS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000" PanGPS.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Modifies registry class 42 IoCs
Processes:
msiexec.exePanGPSupport.exePanGPS.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ PanGPSupport.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\ = "\"URL:GlobalProtectCallback Protocol\"" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ = "PanV2CredProv.dll" PanGPS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\PackageCode = "D4ED00B69BACC73489F0DA225E356B41" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\PackageName = "GlobalProtect64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\ = "PanV2CredProv" PanGPS.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ PanGPSupport.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductName = "GlobalProtect" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\globalprotectcallback msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1\DefaultFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Version = "100728834" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF\3C17C4569449DCB4A83E6046587057C1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\globalprotectcallback\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command\ = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanVcrediChecker.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32 PanGPS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18} PanGPS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\DefaultIcon\ = "\"PanVcrediChecker.exe,1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\globalprotectcallback\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ThreadingModel = "Apartment" PanGPS.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings PanGPSupport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductIcon = "C:\\Windows\\Installer\\{654C71C3-9449-4BCD-8AE3-06648507751C}\\_853F67D554F05449430E7E.exe" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msiexec.exePanGPS.exePanGPS.exepid process 4232 msiexec.exe 4232 msiexec.exe 1604 PanGPS.exe 1604 PanGPS.exe 1604 PanGPS.exe 1604 PanGPS.exe 1772 PanGPS.exe 1772 PanGPS.exe 1772 PanGPS.exe 1772 PanGPS.exe 1772 PanGPS.exe 1772 PanGPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4688 msiexec.exe Token: SeIncreaseQuotaPrivilege 4688 msiexec.exe Token: SeSecurityPrivilege 4232 msiexec.exe Token: SeCreateTokenPrivilege 4688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4688 msiexec.exe Token: SeLockMemoryPrivilege 4688 msiexec.exe Token: SeIncreaseQuotaPrivilege 4688 msiexec.exe Token: SeMachineAccountPrivilege 4688 msiexec.exe Token: SeTcbPrivilege 4688 msiexec.exe Token: SeSecurityPrivilege 4688 msiexec.exe Token: SeTakeOwnershipPrivilege 4688 msiexec.exe Token: SeLoadDriverPrivilege 4688 msiexec.exe Token: SeSystemProfilePrivilege 4688 msiexec.exe Token: SeSystemtimePrivilege 4688 msiexec.exe Token: SeProfSingleProcessPrivilege 4688 msiexec.exe Token: SeIncBasePriorityPrivilege 4688 msiexec.exe Token: SeCreatePagefilePrivilege 4688 msiexec.exe Token: SeCreatePermanentPrivilege 4688 msiexec.exe Token: SeBackupPrivilege 4688 msiexec.exe Token: SeRestorePrivilege 4688 msiexec.exe Token: SeShutdownPrivilege 4688 msiexec.exe Token: SeDebugPrivilege 4688 msiexec.exe Token: SeAuditPrivilege 4688 msiexec.exe Token: SeSystemEnvironmentPrivilege 4688 msiexec.exe Token: SeChangeNotifyPrivilege 4688 msiexec.exe Token: SeRemoteShutdownPrivilege 4688 msiexec.exe Token: SeUndockPrivilege 4688 msiexec.exe Token: SeSyncAgentPrivilege 4688 msiexec.exe Token: SeEnableDelegationPrivilege 4688 msiexec.exe Token: SeManageVolumePrivilege 4688 msiexec.exe Token: SeImpersonatePrivilege 4688 msiexec.exe Token: SeCreateGlobalPrivilege 4688 msiexec.exe Token: SeBackupPrivilege 4424 vssvc.exe Token: SeRestorePrivilege 4424 vssvc.exe Token: SeAuditPrivilege 4424 vssvc.exe Token: SeBackupPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe Token: SeTakeOwnershipPrivilege 4232 msiexec.exe Token: SeRestorePrivilege 4232 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exePanGPA.exepid process 4688 msiexec.exe 2972 PanGPA.exe 4688 msiexec.exe 2972 PanGPA.exe 2972 PanGPA.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
PanGPA.exepid process 2972 PanGPA.exe 2972 PanGPA.exe 2972 PanGPA.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
PanGPA.exePanGPA.exePanGPSupport.exepid process 2972 PanGPA.exe 2972 PanGPA.exe 464 PanGPA.exe 672 PanGPSupport.exe 672 PanGPSupport.exe 672 PanGPSupport.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
msiexec.exesvchost.exePanGPS.exePanGPSupport.exedescription pid process target process PID 4232 wrote to memory of 1328 4232 msiexec.exe srtasks.exe PID 4232 wrote to memory of 1328 4232 msiexec.exe srtasks.exe PID 4232 wrote to memory of 1604 4232 msiexec.exe PanGPS.exe PID 4232 wrote to memory of 1604 4232 msiexec.exe PanGPS.exe PID 4992 wrote to memory of 3724 4992 svchost.exe DrvInst.exe PID 4992 wrote to memory of 3724 4992 svchost.exe DrvInst.exe PID 1772 wrote to memory of 2972 1772 PanGPS.exe PanGPA.exe PID 1772 wrote to memory of 2972 1772 PanGPS.exe PanGPA.exe PID 672 wrote to memory of 3248 672 PanGPSupport.exe route.exe PID 672 wrote to memory of 3248 672 PanGPSupport.exe route.exe PID 672 wrote to memory of 1600 672 PanGPSupport.exe ipconfig.exe PID 672 wrote to memory of 1600 672 PanGPSupport.exe ipconfig.exe PID 672 wrote to memory of 2960 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 2960 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 1492 672 PanGPSupport.exe netsh.exe PID 672 wrote to memory of 1492 672 PanGPSupport.exe netsh.exe PID 672 wrote to memory of 3688 672 PanGPSupport.exe netstat.exe PID 672 wrote to memory of 3688 672 PanGPSupport.exe netstat.exe PID 672 wrote to memory of 2252 672 PanGPSupport.exe systeminfo.exe PID 672 wrote to memory of 2252 672 PanGPSupport.exe systeminfo.exe PID 672 wrote to memory of 4868 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 4868 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 2304 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 2304 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 4480 672 PanGPSupport.exe wmic.exe PID 672 wrote to memory of 4480 672 PanGPSupport.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GlobalProtect64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4688
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1328
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "000000000000014C" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3724
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" fromGPS2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2972
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:464
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SYSTEM32\route.exeroute print2⤵PID:3248
-
C:\Windows\SYSTEM32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:1600 -
C:\Windows\System32\Wbem\wmic.exewmic nicconfig list full2⤵PID:2960
-
C:\Windows\SYSTEM32\netsh.exenetsh interface ipv4 show interfaces level=verbose2⤵PID:1492
-
C:\Windows\SYSTEM32\netstat.exenetstat -n2⤵
- Gathers network information
PID:3688 -
C:\Windows\SYSTEM32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2252 -
C:\Windows\System32\Wbem\wmic.exewmic process list full2⤵PID:4868
-
C:\Windows\System32\Wbem\wmic.exewmic service where state='running' list full2⤵PID:2304
-
C:\Windows\System32\Wbem\wmic.exewmic sysdriver where state='running' list full2⤵PID:4480
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5ca69fb0390b6ded1219e963f12d28edf
SHA1dae39501a07de19a5380dfac51e9fb83f6ceaca0
SHA256b90a03ea6e5d1304f20ba38bd305c93832fb738deaafa02c0b6b381afb88112d
SHA512d3bf7f2be7670a2a23451a542632d5f2d8e01936ce4f7d45609fd780e3440a3e9d9f683e9e9b2b6db660dd8dd2c8464c7b067c8ff45bb7e89adf1497e02884c0
-
Filesize
76KB
MD56ca91596cfae2079ba66bfbb099f41e6
SHA112729569ca22d782630e988c56a6472d8cfb96aa
SHA2569cc08f70555e3958e1676fba56b12d482ef961f8fdbba9e69db7a44f3b007a02
SHA512f06f785aa445c1f77d6b3553d3db99c1373f99ff55505bea71763f15b62334ebe1dd77550110179942fbb44b85ee7330ee59f888e409c8600f6df7a7611b8ace
-
Filesize
10KB
MD56f4e74e781e6bcf142dd838cfebb41c7
SHA1f4943f6168827c6e6e5cb4f9e7d34b35398d66c9
SHA256f6f9275be2da16360f7498dd1b4631f9b19fff816d8a025b0146c20572b1a1ea
SHA5126fe8ed0041cb9e9f0ed350df512738164b1f26a475a50db2f9691e7855d6e5ae1de590cab13e190ebd66765a722b39153c90e913cfa00835c0fc3cce347baa85
-
Filesize
64KB
MD5a0461f4078af59688aee6ddea095a6a7
SHA1861047e2f15a412f1e8e48fae7434965d15d48ce
SHA256acb8315b92a000ff55d731d8175bbed0668d5cd838df33d24f5244e56ddc6c27
SHA5122bbec4ca8d078e8a7d867ca32569a657210c008715886d0498c2b25e2071e9c87cb7cc4941efc1f22d23192631f14162452a018ceec2da7f7321f7c2c4608de7
-
Filesize
58KB
MD5f29367ad71706b20dd6866347439c528
SHA1aa8fad23f2cc5c8a1fe9ae0ec88e4fb0c7723b93
SHA2561f728377e7a7288a9750f9aa95524d7371cd7bb7454a9c8222528ff1bc463b0c
SHA5127456d8346398bee349ade93ec7dfc898869419f24424a6744ecb69b5901a29b6a30f2b303676a480f4f9c3bbd7465ba1fab9587e36c06c1eb035add5d6137f09
-
Filesize
4.9MB
MD53174b28b5a65fc2b64d0b4004707f528
SHA18eceb0ae983862f10c97d8efc317916677de7213
SHA256024bf463d74a51a2bdc871ae79327fed27079f0eaac087d0ed4665e50f6f7afe
SHA51276baace8b2343e3382460ec174a66c2f1de85e8078c2fd45ed52d568a644edbb1ff5e8255125fd583bb05aba9746a1bd49158d1951071fdb7bd1a76d29110ad4
-
Filesize
1.2MB
MD58d04fc7659531db416bc9b5cb417f673
SHA1741e656abb6fedde3425e9f784454dd9538a41e8
SHA25607fb3b940ec562030ffd484d1ff658c36ef3ff0f18702fd53c61ff8958c2b01b
SHA512b4e95d8d66df4e1978d4e569eef2ca3e2e4dbae21cf0ea987d3518f025675768698e8349b38b9adb3d4336c8a6afee2d4483c1ca31ce0945be9d39c77be75a42
-
Filesize
2.6MB
MD5f48720bde9fd85569c158b464a7fd2b3
SHA19eae82da2535595aeb0916c966f236fddc22fec6
SHA25624051383744c74d433968468262fe58b41c126f52fb8cd05ca8c543b7203b8d4
SHA512faa3f96cc5153cc5d1446705af69a2efb375884a201d7314fc0edc3d5f2cbd13147e901febcfe10462089f813672c4617a3bd9750c6e7d6ceb47b8e99020e6f9
-
Filesize
1.1MB
MD5538869c7753cddcd6aed8152f51d15e7
SHA19c2cf343e6b28416fecbb369ac570853b8ca9d08
SHA256c378b24663c3a319c47d1afd97457d85894eb73a941284c377331df61c2b76c9
SHA512ff4e7c0b25214c69113f7904136f1a547be96a9cbdf503096132938668e0ef3fc0b94027305053585f8c043bfb9beb85915d0fc7d53bb5b49332ac64c91983ec
-
Filesize
6KB
MD59a6671d77d510ee8a0770d7c3f7ee7e0
SHA1ac1577b607e18be8b67973c65ab65dab7d1bb1a8
SHA256c5afe434cc7067bd923bc9f2fccd5828753ba6537a519108f34ffa7d5ad01ec0
SHA512ea91de0e7d32f22ed67b72a495b41d281fb1a505e9a150d0edc4a2989ec3e064ffb64079ce9f2337a04ee139665fe8f94434da5db29bc896941fe3877b79c949
-
Filesize
2.9MB
MD51858301e9f443ce695746ed084bc4548
SHA12c80b53449e607acf6468d723387290a0c6e52bd
SHA2564d4279922a6e901fe1aecf3790d647f4d5ba21dc25514c173a7b53a968091b17
SHA51283e1aa9f0e04375b2fa5005a3f97d530d09269148bd347ce2186ff302c1637a6c3c56b4ee85fb599b48082c2c031fce97e99d15c0716d7f4c27e6468ecdf88c7
-
Filesize
279KB
MD527a8ea702bfb4dacdd21a42257563d9f
SHA1bce90f73a04f4fd3f854ae5b4a93e6da41e5ba63
SHA25685a11027117d5fb33a09298f28dde22af5e859fe574b41a9bf5da1e595334a27
SHA512ad891bc3f0626f67d482d9849384706cadc17b8688e0136aec2b9fc0cfa2203d6c8fbf3f02eb9452970a4ca66281be733e044cdea24a1d645e64e1dd9d390645
-
Filesize
318B
MD5f2c08a010ff0f45f869396ea6162d97e
SHA1d0b2ae69457761699b28683abd2d4232c769eaba
SHA256745e76bf6ce1bbfb800329ca7a8c7e743358da2c50c9feadfafd9d6a78368f25
SHA512aa84ead638c5dfd8209a708eccc06cc706120b022e303b357ab072b612cd8d55858ec85a406f87eaad85273162bd095e56e3389212d462625b0bb8666fd7dbfe
-
Filesize
1KB
MD52e4333230ecaaf6ceead4ee39b2a5f80
SHA16ca34715d9bf18f75744551f9ba1e32bb98b9e57
SHA2564a0f4a4ce176106661660e7569e7cd39a15bac47f9abf6b9d12c87d080461e1d
SHA51220f1e65c18406bcad53275e75ea12b8dc6177fb54b36bdaafc5cc9efa4c2cfe402f6b04ba5d759d4bf523a1d9dab23b755ffd240901d607af00f9d6398a28591
-
Filesize
2KB
MD5849fe0d71a3ff43377f5cf686f9a8794
SHA17a2ee9b8328ee373d068f5f37dcd07416d3177e5
SHA256b887f0a12f7afc783cf8e2a4384c31c76a713cfdeb24d6be6923aed6fe6b3abb
SHA51236161d1747318b8aeb1b84acabef546d0c3fe4a2bd85ecf8a84231e2c9b2ea6cb43039ddbb4b737d0858b29d5f40262559212abff9cd70341449fb91b21d1ea5
-
Filesize
2KB
MD504b160a1f9907c40c213cc3f9eccfc89
SHA19d67c9a7daea596e2c2e0c7ed37a9e68b93a06cc
SHA256e919b8943929f9f7e6a8c9e7f2e7c623dcc7d093b0dbaec522f94fb73a899fac
SHA51296ce80fdb0f193a3c01c91a39aaca2f289c844bf9a0390be94c4d5ab6c24bb7fa6f1f36d3e3260660897e5eafe3a016ff2c341ae91c1e09bdc1f1d23a4c761cd
-
Filesize
139B
MD5448a0093092cbd74d4ce6dd2d76da0fd
SHA1154e35eae78a9655522a622e3ec95bee833d107d
SHA2562932f634b37baeea4b4ef76fdcd509fcae7230644df6c0ce7b43e3d8485be5a1
SHA51250846834e687079f8d7873910f702764fed077f515aafff89f6750841c159e4153e5169af32a649b92a0af39c92e963f873835977d67721fc6227ba10895949d
-
Filesize
4KB
MD5fc97a101113d88276c58400bba7aaf77
SHA1814d0c9fbdee6b3daba6d18389536fde536d3b2d
SHA25620b44f3859a6ff1b7c644fc90ced4e7ab37ccf5cb50ec21d59a92906932a4842
SHA512616ac0eb0bf54e4efb94b9cf1a301e8ad08f13d7477256552be616d450db84614a3a7e5376ec7d3fc11e893c38cf578eb826fbf156b17b2cf48e5004470e5bda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD50b5cc1567096a2c26583b437ccffbda6
SHA182f90c0ffd581f776eee31aa02a7ac591b00dba7
SHA256c831ca6c6ab7a7a6d1d45846377665f6c666dd3259a9a92c09ca5a553333ef10
SHA512241eab2417bd67f3b41db185529e95f0408a04f4b9490c23f2f96d4d3f23b613a9b217afd5dc795af36cdafb26472c5461d6da2c369d6942160165c065c618e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_46724C943F6B7C6A5058FD2AB6AD0E82
Filesize471B
MD5d54fd4e56689c105746052a518917b44
SHA1c226811fecfaf6c2e2960f52cb9acb594dde9858
SHA256a70828a221acec21eb57ac04a9779062d58ab0e4c542e2443f62629f35fcc09b
SHA51257cefe2c5d7fb01436761e5663032a943f8df269d64ba2c1ba090f0d7543da6d599f98f7a367e8780062b9b9d600b0bc54b3090c993e5acda7957514150769d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize404B
MD5953e0254994bb9db42872d23d590de0f
SHA11b2155214381e536079adb5e07d5f56b88c458b5
SHA256795e9f9e0ce92d55b7282e2a68fdf4d100de6100e455ff45cac602333b7873f2
SHA51274a86d6cc3e213e373a434e92c8f5ace62db214232395841b5dcc3b70d30f1ca90340b448c1cc9a9aa1fb3e81db85c0d40ef77e9bfc2aad164f42748f99fb382
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_46724C943F6B7C6A5058FD2AB6AD0E82
Filesize404B
MD56535d778d84f42642ad2f2bc179937fe
SHA115e01428e2ae77d3548b5742da232faf7de59bd4
SHA256861b4426792d13a7edca4e26a99c88754f409f223119ff8f868bc936dfe7c718
SHA512badfbdd6f7855451504d079912aa87bba36b9af502798a0eb6256b6ac1557916de9f83fb5eea8f2a01bf30f86715fde252eac6eab2a43951bdb4ea0af6b85ffc
-
Filesize
7KB
MD5505b8200b47596ab6a3f452976cd263e
SHA14cdff7b964c94a56f46a8d5bb21e815596fa5219
SHA2569adca9973081e44ee741f942bf3526b8eaf987bd386d8d331c8a6028f1965d28
SHA512b458093f0b27318f50bd675f199a0fe80148ada6a011e643bd1096cd1989b278b14544ddd0d2faa0b5e83d54f79f0122e9a11f1e26c19226135f5cc936eb87f0
-
Filesize
8KB
MD59f7018e10aab210dcae56256a041205a
SHA16fec12ac17ebf797b0bd25f5b21b3a6f81402709
SHA2564bc34866ce4c1848c4b3474857ce41143452e0097c39b2e16da4cf567ac2ea22
SHA512d8ece697d6a28a67047a31f6f94491ebcc736025ac4dd78e90113aa4e57db26960835e4fc1bee7cfb1d8db96196382a5266ef3d7058e6046ab774f68066e68cb
-
Filesize
2.1MB
MD5fcf165b905ff0d202effc99ff2a48d21
SHA17ff0cb486f05a224fefd50a3b8e802d05f1d494f
SHA2563d594148640c7a7dd5805a925c9df11de76743c57602ddf36b6783d97a942fda
SHA512d7a7bb7f276ded21739fed0b96ccff79237dc8b181bce48671e45085ac8d2851911ca46b71a915a50fc1dd80d38ac68b528667609e151ee4565aefc9fcb17072
-
Filesize
10KB
MD5a9dbb22ae31a9e6ee61467c5798d9178
SHA189d6da8ee8a851cc3c96b93ba8308987581acfbc
SHA256fe25ea8125a359f9658617433b0f17773f73d5a2479cf3baca97180e75febaee
SHA5127b56a3149e200ef4365ec8300c138268735f1054449569c5f0d6f416a8e6a4f6cf808b78a55b098ee42d78b5b54c5b7df3d2f2be53113c34a2fed18b95dbf555
-
Filesize
283B
MD55f4ad71da0e91304018ef0979e545ff2
SHA18e1228cc17ee581f2a7933a4a43b24b6037e6f10
SHA25682f2a1db1e70197ab651f41f07db2f1576ce3ccda20b190afca60665dbf5598f
SHA512897a2982e714b422476b8925e6745e2b58b3915526d3b7796c26d8e57bb7b20c8621d332ca895a7bbc8b72a2e5db5f2017ca1ee971b6bcc2a926971c56458c0b
-
Filesize
3.2MB
MD58ab7bcc7af00c0af2bc7e8ced7c81252
SHA1f35fab065ab2a352d36f3dc1b054cd0d79c442a0
SHA2569a43dd15af016a0a1292db8abf6cca2e028d4655a06e0b1e8dcd73ce97d13770
SHA512f58ffe5c52b8202d9fb39fe32a30a54ad42f5052b9e8b98e0d6f9e1f424a46033853e27bb88e1c32a7eeca4b242818c0882f5a7bc3e29e327efcfbca2099eeb6
-
\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{635db9c9-97ed-48fc-8986-e7e37f343ab6}_OnDiskSnapshotProp
Filesize6KB
MD5bf9c0b28f89eefa6a9dcc1c244b0ce6c
SHA1594dc65d7cbdae6faaf2928650eed532c5b737c4
SHA256bdd60ebb2fa06d6915b40d5c51651eb7b2b0b81d01faff64c1f32270e672a074
SHA512e9cc91631c81ab5b8c54c7ae1abefd5a1958cd4578b2bc386ec98ca8b3d87a866a98095076c65d40203197d7e572e9f76d2a7c63879242e0d408fdc489a820c9