Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 11:51
Static task
static1
Behavioral task
behavioral1
Sample
GlobalProtect64.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
GlobalProtect64.msi
Resource
win10v2004-20240802-en
General
-
Target
GlobalProtect64.msi
-
Size
153.1MB
-
MD5
4b1733124a19056ca4301231f2e0d245
-
SHA1
66a1b33fde2ae3d7fae05a059c861197d87c04c1
-
SHA256
21689eafdfd6005ae75683a423b7816592cdf9aae03d983782d9272bb71787b9
-
SHA512
c2513920d48986dc595a009d782253d5456543226d6f1aebf18609e268c15c35d1ca27dc6e38072d7d206391381c136aad471a20f25565b0e00c9af43bfc72ce
-
SSDEEP
3145728:QJCdGkU9a6wnzYdRQ7O7rtEtBsIvCcJr9SlX2OVwji5Xv+Jb8rTnNWFdbk:Q0dGk0a6wzOK7O7rtEEIvV9ShHV/v+JG
Malware Config
Signatures
-
Wikiloader
Wikiloader is a loader and backdoor written in C++.
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET3DB0.tmp PanGPS.exe File created C:\Windows\system32\DRIVERS\SET3DB0.tmp PanGPS.exe File opened for modification C:\Windows\system32\DRIVERS\pangpd.sys PanGPS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GlobalProtect = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\"" msiexec.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 6 2780 msiexec.exe 7 2780 msiexec.exe 9 2780 msiexec.exe 6 2780 msiexec.exe 9 2780 msiexec.exe 7 2780 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\SET35F2.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\pangpd.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\SET35F2.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF PanGPS.exe File created C:\Windows\system32\PanPlapProvider.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF PanGPS.exe File created C:\Windows\system32\PanCredProv.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\SET35D0.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF PanGPS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\pangpd64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF PanGPS.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF PanGPS.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4712 notepad.exe -
Drops file in Program Files directory 61 IoCs
description ioc Process File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\close2.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_busy.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\license.cfg msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.inf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap2.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\res\help.chm msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.cat msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.cat msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap1.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\close1.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok_msg.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\uninstall.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanSupport.ico msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\close3.bmp msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_event.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\tray_stop.ico msiexec.exe File opened for modification C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log PanGPS.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00001.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00003.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd64.cat msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanMSAgent.ico msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp msiexec.exe File created C:\Program Files\Palo Alto Networks\GlobalProtect\res\Panw-Logo.png msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\INF\c_fssystemrecovery.PNF PanGPS.exe File created C:\Windows\INF\mdmpsion.PNF PanGPS.exe File created C:\Windows\INF\mrvlpcie8897.PNF PanGPS.exe File created C:\Windows\INF\rtvdevx64.PNF PanGPS.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\INF\ipmidrv.PNF PanGPS.exe File created C:\Windows\INF\mdmgl005.PNF PanGPS.exe File created C:\Windows\INF\mdmgl006.PNF PanGPS.exe File created C:\Windows\INF\mdmmotou.PNF PanGPS.exe File created C:\Windows\INF\mdmsier.PNF PanGPS.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF PanGPS.exe File created C:\Windows\INF\rdlsbuscbs.PNF PanGPS.exe File created C:\Windows\Installer\SourceHash{654C71C3-9449-4BCD-8AE3-06648507751C} msiexec.exe File created C:\Windows\INF\c_smrvolume.PNF PanGPS.exe File created C:\Windows\INF\fusionv2.PNF PanGPS.exe File created C:\Windows\INF\mdmaiwat.PNF PanGPS.exe File created C:\Windows\INF\mdmhandy.PNF PanGPS.exe File created C:\Windows\INF\mdmmcom.PNF PanGPS.exe File created C:\Windows\INF\netathrx.PNF PanGPS.exe File created C:\Windows\INF\netbc64.PNF PanGPS.exe File created C:\Windows\INF\prnms007.PNF PanGPS.exe File created C:\Windows\INF\remoteposdrv.PNF PanGPS.exe File created C:\Windows\INF\mdmelsa.PNF PanGPS.exe File created C:\Windows\INF\mdmmod.PNF PanGPS.exe File created C:\Windows\INF\mdmmot64.PNF PanGPS.exe File created C:\Windows\INF\mdmnokia.PNF PanGPS.exe File created C:\Windows\INF\mdmracal.PNF PanGPS.exe File created C:\Windows\INF\netwtw06.PNF PanGPS.exe File created C:\Windows\INF\mdmbsb.PNF PanGPS.exe File created C:\Windows\INF\megasas2i.PNF PanGPS.exe File created C:\Windows\INF\microsoft_bluetooth_hfp_ag.PNF PanGPS.exe File created C:\Windows\INF\netwew01.PNF PanGPS.exe File created C:\Windows\INF\PerceptionSimulationHeadset.PNF PanGPS.exe File created C:\Windows\INF\c_mouse.PNF PanGPS.exe File created C:\Windows\INF\c_mtd.PNF PanGPS.exe File created C:\Windows\INF\microsoft_bluetooth_hfp_hf.PNF PanGPS.exe File created C:\Windows\INF\netwmbclass.PNF PanGPS.exe File created C:\Windows\INF\c_hidclass.PNF PanGPS.exe File created C:\Windows\INF\mdmsmart.PNF PanGPS.exe File created C:\Windows\INF\netbrdg.PNF PanGPS.exe File created C:\Windows\INF\oem1.PNF PanGPS.exe File created C:\Windows\INF\c_display.PNF PanGPS.exe File created C:\Windows\INF\c_fsencryption.PNF PanGPS.exe File created C:\Windows\INF\c_scsiadapter.PNF PanGPS.exe File created C:\Windows\INF\c_swcomponent.PNF PanGPS.exe File created C:\Windows\INF\mdmcpq.PNF PanGPS.exe File created C:\Windows\INF\mdmgl004.PNF PanGPS.exe File created C:\Windows\INF\c_fscompression.PNF PanGPS.exe File created C:\Windows\INF\hdaudss.PNF PanGPS.exe File created C:\Windows\INF\mdmmct.PNF PanGPS.exe File created C:\Windows\INF\mdmtexas.PNF PanGPS.exe File created C:\Windows\INF\netrtwlane01.PNF PanGPS.exe File created C:\Windows\INF\netrtwlans.PNF PanGPS.exe File created C:\Windows\INF\smrdisk.PNF PanGPS.exe File created C:\Windows\INF\dc21x4vm.PNF PanGPS.exe File created C:\Windows\INF\mdmnttte.PNF PanGPS.exe File created C:\Windows\INF\vca.PNF PanGPS.exe File created C:\Windows\INF\wvmic_kvpexchange.PNF PanGPS.exe File created C:\Windows\INF\c_computeaccelerator.PNF PanGPS.exe File created C:\Windows\INF\mdmmhrtz.PNF PanGPS.exe File created C:\Windows\INF\xusb22.PNF PanGPS.exe File created C:\Windows\INF\ykinx64.PNF PanGPS.exe File created C:\Windows\INF\btampm.PNF PanGPS.exe File created C:\Windows\INF\netvf63a.PNF PanGPS.exe -
Executes dropped EXE 4 IoCs
pid Process 4712 notepad.exe 3444 PanGPS.exe 2368 PanGPS.exe 1564 PanGPA.exe -
Loads dropped DLL 6 IoCs
pid Process 3444 PanGPS.exe 4712 notepad.exe 4712 notepad.exe 4712 notepad.exe 4712 notepad.exe 2368 PanGPS.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2780 msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 51 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters PanGPS.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters PanGPS.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters PanGPS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service PanGPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 PanGPS.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000" PanGPS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000" PanGPS.exe -
Modifies data under HKEY_USERS 53 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe -
Modifies registry class 39 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32 PanGPS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\ = "\"URL:GlobalProtectCallback Protocol\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF\3C17C4569449DCB4A83E6046587057C1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\globalprotectcallback\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18} PanGPS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\globalprotectcallback\DefaultIcon msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\PackageName = "GlobalProtect64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ = "PanV2CredProv.dll" PanGPS.exe Key created \REGISTRY\MACHINE\Software\Classes\globalprotectcallback msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1\DefaultFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Version = "100728834" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\ = "PanV2CredProv" PanGPS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\DefaultIcon\ = "\"PanVcrediChecker.exe,1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductIcon = "C:\\Windows\\Installer\\{654C71C3-9449-4BCD-8AE3-06648507751C}\\_853F67D554F05449430E7E.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ThreadingModel = "Apartment" PanGPS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command\ = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanVcrediChecker.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\PackageCode = "8ED1743605AD5B14B93027D29575BED3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductName = "GlobalProtect" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\URL Protocol msiexec.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3772 msiexec.exe 3772 msiexec.exe 3444 PanGPS.exe 3444 PanGPS.exe 4712 notepad.exe 4712 notepad.exe 3444 PanGPS.exe 3444 PanGPS.exe 2368 PanGPS.exe 2368 PanGPS.exe 2368 PanGPS.exe 2368 PanGPS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3532 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2780 msiexec.exe Token: SeIncreaseQuotaPrivilege 2780 msiexec.exe Token: SeSecurityPrivilege 3772 msiexec.exe Token: SeCreateTokenPrivilege 2780 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2780 msiexec.exe Token: SeLockMemoryPrivilege 2780 msiexec.exe Token: SeIncreaseQuotaPrivilege 2780 msiexec.exe Token: SeMachineAccountPrivilege 2780 msiexec.exe Token: SeTcbPrivilege 2780 msiexec.exe Token: SeSecurityPrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeLoadDriverPrivilege 2780 msiexec.exe Token: SeSystemProfilePrivilege 2780 msiexec.exe Token: SeSystemtimePrivilege 2780 msiexec.exe Token: SeProfSingleProcessPrivilege 2780 msiexec.exe Token: SeIncBasePriorityPrivilege 2780 msiexec.exe Token: SeCreatePagefilePrivilege 2780 msiexec.exe Token: SeCreatePermanentPrivilege 2780 msiexec.exe Token: SeBackupPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeShutdownPrivilege 2780 msiexec.exe Token: SeDebugPrivilege 2780 msiexec.exe Token: SeAuditPrivilege 2780 msiexec.exe Token: SeSystemEnvironmentPrivilege 2780 msiexec.exe Token: SeChangeNotifyPrivilege 2780 msiexec.exe Token: SeRemoteShutdownPrivilege 2780 msiexec.exe Token: SeUndockPrivilege 2780 msiexec.exe Token: SeSyncAgentPrivilege 2780 msiexec.exe Token: SeEnableDelegationPrivilege 2780 msiexec.exe Token: SeManageVolumePrivilege 2780 msiexec.exe Token: SeImpersonatePrivilege 2780 msiexec.exe Token: SeCreateGlobalPrivilege 2780 msiexec.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeBackupPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeBackupPrivilege 2380 srtasks.exe Token: SeRestorePrivilege 2380 srtasks.exe Token: SeSecurityPrivilege 2380 srtasks.exe Token: SeTakeOwnershipPrivilege 2380 srtasks.exe Token: SeBackupPrivilege 2380 srtasks.exe Token: SeRestorePrivilege 2380 srtasks.exe Token: SeSecurityPrivilege 2380 srtasks.exe Token: SeTakeOwnershipPrivilege 2380 srtasks.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2780 msiexec.exe 3532 Explorer.EXE 3532 Explorer.EXE 3532 Explorer.EXE 1564 PanGPA.exe 3532 Explorer.EXE 3532 Explorer.EXE 2780 msiexec.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3532 Explorer.EXE 3532 Explorer.EXE 3532 Explorer.EXE 1564 PanGPA.exe 3532 Explorer.EXE 3532 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4712 notepad.exe 1564 PanGPA.exe 1564 PanGPA.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3532 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 2380 3772 msiexec.exe 96 PID 3772 wrote to memory of 2380 3772 msiexec.exe 96 PID 3772 wrote to memory of 4712 3772 msiexec.exe 99 PID 3772 wrote to memory of 4712 3772 msiexec.exe 99 PID 3772 wrote to memory of 3444 3772 msiexec.exe 100 PID 3772 wrote to memory of 3444 3772 msiexec.exe 100 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 PID 4712 wrote to memory of 3532 4712 notepad.exe 56 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3532 -
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GlobalProtect64.msi2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2780
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe"C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712
-
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3444
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
PID:680 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3852
-
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2368 -
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" fromGPS2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1564
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD567eff5f551dc20561b422a8b35aa81b3
SHA1d0216eb93342112d173d7c1cb589d813376bfc8b
SHA256571730a9196f4f6ffda7dc0f2d1af2b67fb702d3238fea2237940ccada7de1f2
SHA51270e0e283f9f17704cc95fa34d843358e43f426f525d8318531feab48408d5bcdabede4727b15d856baae3db3eb8687f1fca7154e578dc21c6081c6d208ce20ae
-
Filesize
76KB
MD56ca91596cfae2079ba66bfbb099f41e6
SHA112729569ca22d782630e988c56a6472d8cfb96aa
SHA2569cc08f70555e3958e1676fba56b12d482ef961f8fdbba9e69db7a44f3b007a02
SHA512f06f785aa445c1f77d6b3553d3db99c1373f99ff55505bea71763f15b62334ebe1dd77550110179942fbb44b85ee7330ee59f888e409c8600f6df7a7611b8ace
-
Filesize
10KB
MD56f4e74e781e6bcf142dd838cfebb41c7
SHA1f4943f6168827c6e6e5cb4f9e7d34b35398d66c9
SHA256f6f9275be2da16360f7498dd1b4631f9b19fff816d8a025b0146c20572b1a1ea
SHA5126fe8ed0041cb9e9f0ed350df512738164b1f26a475a50db2f9691e7855d6e5ae1de590cab13e190ebd66765a722b39153c90e913cfa00835c0fc3cce347baa85
-
Filesize
12.7MB
MD567531d29184f8535d5a5bfa9b6f2dc55
SHA1137c77d9704e089325c383aaa12be1306912b157
SHA256f3efccf35546bb9b4167558f017171fd70756ef6b0b5c9e6ab618722c099d8de
SHA512450df85697933102db33f55c10bfaf816f5f4b30d84b7e7ea286b6697fd21bbd80a2a39aaec1629dc5dbb999bc9d3b75f740568ddeedb144b4acd4cfebecc8c0
-
Filesize
10.9MB
MD56cd4376e895378198b89bfb282429094
SHA166a4048d4af908c8774ae61645a8520711f3f98d
SHA256ba4bc8ca267de00eb89bb485788321b873f0e0b6aeddaacab9d6b2676c10ec08
SHA512aac34445ee9cf0a37bbb607cc495536b583a23910e02b2f588dccfb99ff58af5d550f439b4528e70ffe972ce17b9a92756fa7793e1644d590c1e474c972458d2
-
Filesize
279KB
MD527a8ea702bfb4dacdd21a42257563d9f
SHA1bce90f73a04f4fd3f854ae5b4a93e6da41e5ba63
SHA25685a11027117d5fb33a09298f28dde22af5e859fe574b41a9bf5da1e595334a27
SHA512ad891bc3f0626f67d482d9849384706cadc17b8688e0136aec2b9fc0cfa2203d6c8fbf3f02eb9452970a4ca66281be733e044cdea24a1d645e64e1dd9d390645
-
Filesize
318B
MD5f6a27a6265525b3e5b426dbba051e361
SHA1505ba359dfbc33dd42988e7ce1be38d3c95855fa
SHA2568b72bfeb1949ebcb56c799817f6a6e8b2ca207f8bb42a8a5a049318d8ce6e67a
SHA512a946e85adac595738fd05570a6e801c4d04b3085b2ec40da0e518ed23ce014b70e32f1eb5496943b7df8d128d830319b4da26281e9e45ebd2dd993627a59e076
-
Filesize
1KB
MD559047a2792365f9b24e7e3b6e5127d99
SHA16af38e562d8d4ef9480ca1ef648d0ab6c24bc27e
SHA256bb8b331284e09a0e302072d1a59dc9a1a0c55aeaa5aea1798d6cfb384473cc9d
SHA5127802c3abdee0a1acd4081a68a8484efc115a30a172e95b65847b3db202d300d3dbf6b2915e3599ed5e938ed38c4be7b46281a98071b416a5594e6938319e36b0
-
Filesize
1KB
MD5496eeb65086ded709e08e6a7ea63d8b5
SHA123729c08ef89674e7b9983b21b32abaff1d9cbe2
SHA256a5592cbbea7b737eeca4be52fd7345dd7502503ba6564c5c239f28117e74feaa
SHA512ef79ea8210e224ddc92e6a7501d15e7b489b86405df176fd26db1464660bbff5e4954649bb87b013b4ad13c0dede3b9557288c44933f6f8e093bb745689cd4b2
-
Filesize
2KB
MD5ae0ff3b43cd924be4879272f1b299c6f
SHA1e7786ea61936c1e9be68b6d7f57e014e5b2f8675
SHA2564be8279b6fd0c51f3f9ec20e67db424b545463c2f393301df201f46286a4dd1e
SHA51235ed5e311f6dc9a4d593ca7a7c1a90500bf8ce47ed5359c4c5c26ae0950c3e40db2763a795402898f77d4f060905674ccbd8c8cc28fe9ea3a1e9844b1e6440de
-
Filesize
4KB
MD5fc97a101113d88276c58400bba7aaf77
SHA1814d0c9fbdee6b3daba6d18389536fde536d3b2d
SHA25620b44f3859a6ff1b7c644fc90ced4e7ab37ccf5cb50ec21d59a92906932a4842
SHA512616ac0eb0bf54e4efb94b9cf1a301e8ad08f13d7477256552be616d450db84614a3a7e5376ec7d3fc11e893c38cf578eb826fbf156b17b2cf48e5004470e5bda
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\GlobalProtect.lnk
Filesize2KB
MD55e55d97eb80d69416b1bb134ee231e87
SHA155b6b630dad53b0b5bd08d8ffe5ec62e9da9fa05
SHA256dbd2394d133c44426dd317cc3e05ebd2f167cb7f602abebc466621baea348ba3
SHA5120f8bf88c38a1b215ff7ac474a883fe0618cabd4c4b5e2c0505b2e80486e16b5d686fb836d8097c403fb77013bc33e06b28c1573d3327b812a02d5ace3d7d6fbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F
Filesize1KB
MD5f769b5c6163772e00b8520c7ee885f75
SHA12b876d92b132e02a06b8989becd556186263fc88
SHA2569492b4b3ef0eb4b5d3db8c8aacc0e9f887f560b746066523cee44a7a2c097d61
SHA512e1e026c295d1831e8a3a217785af340f4e01d6d2e4f15fd2b339bb6ca445ee080dff9827cd6d54b6e1255b1e46599574d337d557ac0c0c62da1cf197bf0478b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5fe0ac8beaebc0ba6c1eac827efd7b33c
SHA11b8e447b03284ebab53da2ba6f1547f7520cada2
SHA256c835dd416199911b0cd1a2727f29007f037bf23e5fa1bef893552217243b6605
SHA5125c23e1348b6b913259022a30d8152dfaa9652ea447e2d04f5f840dc4afaf7acefa0521fdb4d648e0a8e0c0f0b9ac6eca898fdeb78e34b063bc0e267402172599
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F
Filesize536B
MD5f9741a91cb482ea0c92fc4e007175256
SHA1dc07a144891ac42e19afc455e8f5084d00460199
SHA256c4e4241c2e6fe344da70c5bff1c0626309162d5db9f7335a3ff3c53e27cbc18b
SHA5121168397f38ec403c98b8507b238d098e347626c174e44b32d24b943b98cff80503e819a26e537887ec3a9054a4c60dd539ece01c89a66a6cfc7e061a6cf7b3fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD51b0d07806f86a6d729aaa762b9a00f1f
SHA1f5f354fc562bbc0b10bf38ae285560d3dd497240
SHA2566264ae380820f526d452db0c69819e9d58e5ef8d3ca289ea392634dcc8441c8e
SHA5122ec127d9ca98434f3d6d7625c373e8a887963794d8541c424be8ded90c3a27e68dbeb5d26aca40d2383060e16be1667ae1429652f2fa5d3d4fc1d92208d40ab7
-
Filesize
111KB
MD50354061f1966b42a95ea67339b368d3a
SHA1c2332f191549677673c65d6f310766cb372a51f3
SHA256f09651ea066297d14aa03603ff8fb8a7837038db8837051291121c547e7070fc
SHA512800db5e1cab015de61b5ce9a1af99de19fed4f0737c7949fdb1c4c4ea3ff460e8b01355fa7657744b3c43f2bb80f29bbd88fbb7e5c26d477f5560a3ccd227b39
-
Filesize
7KB
MD57a90522d275e13ab0813da65e9b0da43
SHA12bf10880d9d7f84fc761d3cd720d037f3c022c2a
SHA256c9ecaff72fbbcdde1f7614d306fe9d6884da76557bfc9a2e498a8f97724121f9
SHA51206394dc52ed7f55455d4a327be7155f4b2ca2e416ce1ed2cfc8a74edf088f233500d4647ac2907aea562af01a9450ccd324d97f8e4a9725781b6648ea0a9fe1e
-
Filesize
4KB
MD5fde4cc09d1c18c6cd7c1a4878e89d27e
SHA122fba21b254fed1a60da5de2b8af3cf6e132b647
SHA25643ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425
SHA512fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29
-
Filesize
451KB
MD50ca5163fef9dc83b8fba4f6524fd5801
SHA1a2a7b6d3ca67a56c9f384c74e96912ebea7262cd
SHA256d5bfd6ae3c031de46b4bb30abe9b44dbe4caa33228946853481be1b1d23c1a6d
SHA5127b81e6457200712f1b1beaea215fc68fea522517ba8dbaf4ab1230703da22d8ceb08e0057e60fccd076b087e9edf7c660957e4a3763c0bf906e9a6c827fac4d8
-
Filesize
1.7MB
MD52f646fcc13c2c392c4af2f2d83a08a25
SHA19ac5faae7de79ce79cc4d8dacc078b37c7ec8874
SHA25638ff6bcb91bd6cbceec26bc60007c60031d9f35181fbae851bd239f361cf38db
SHA5122fe323f45990398cd7bca29c43e53611c45d08ae4f146bae6afd978d1c5ee8f4c5945c146866362e474d9e3d6f2e5c4741aea8d446a157469bf2d7424b5dbe3c
-
Filesize
6.9MB
MD58279706ad64d33bf4eceb2c1becef274
SHA1582cd15c2d1bf27da142ced63ffe490818bf4fa7
SHA256712abdd019cd2e4d96cee74d94eafba8f21ffc35c99a656c228a179ba6f5b310
SHA51269d5f5a2ceaa10a822d24af6c0cfba91804886c7fdb634931c2c6149dec29b98a7770fa7e3cb8630a525c088c39a84382ad30556aa9d4092e4b2e356af39cf9d
-
Filesize
204KB
MD5e7ab0446d3d300d93ab65dd9f94dd59b
SHA1999f0dd30d4aa5224ade7b1bb2d4410494ee7324
SHA25683bd50d9c6d57a58e75838e92c4d5cc61d1cc604b4db033559c756b857f267fe
SHA51293016a843cee731c7b6195e36b218806734506e1aa44648731510962db1f8e405d1fc1952936a23340397c6b4fbb11ff0b832646970a79644042457cab3b159d
-
Filesize
198KB
MD57ce0e43b22274d55d7c8fbe937fdd70a
SHA1b8b42b145e0fad49c3f497dd291d95629b24bc0e
SHA25615b522475027a659988edcd0b9efa18f2cf9d04ecf5f88d1c577eb8be1f55156
SHA51298c40c83b9e4c7f92f83a3c8fc8974c818edadc89b1aeb59922062b514fac47be9a3cf90859ee07dc9f641066a4d65182dc6b7641c41bde55c601bf08302533e
-
Filesize
153KB
MD5b29065b03a282b5560464fcc657945b2
SHA1b4f9cec583775c22ed7fbc967743df9effeb7d2a
SHA256f235cc34e126b47847b9aa89bf5ead47948de4d190b5fe2117ae6deff47e63e6
SHA5123872f4d85a88363c2538b41d85b6cfbfc14b1abe2b452cb9f71cbe310f53cc2522f1f072fc33853d17662a3cb39c656d698559b4a40bf5d9cffdfa11c47116d6
-
Filesize
145KB
MD58c0a29be7fa71be3e638da1e3e5d738f
SHA107842ac568f779dca6dd2756c401f6a6709c1dfc
SHA256119ecd68ab332770bcfe92a3ccdb549b0078d91cc2292bb9d02dc8aa27ca3cc3
SHA512e2a4f7bae0a63c65c9c53fd98ac5e97fc9a363bc5656a17640b05da22c45ef76c7049cc8f66d0e7683d8f2fd615fb6a5d406aa0c6812b56d91029ce812c70909
-
Filesize
193B
MD55d261612f9233dc1754c83fee2c5a854
SHA116f3543dcc6ed0bb3f111e6bca845fe1cd1a20ec
SHA25652226d6d91ffe76d8aa3ce42982da9bb4881f04eb0d8d4ebb34a6e3204845901
SHA512875bbffd4772964ada70a4cf3aab6e9f6193757dc653d2cf58642156b4b15d6a806b86b6252f6bfec503065d3f7384b248b669064327fe74a948d9c273084bba
-
Filesize
3KB
MD5fb573784b83033dd4361f52006d02cb8
SHA10a2923a44ec1bd5e7e8bc7cace15857ae03bf63c
SHA25637a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c
SHA512753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c
-
Filesize
145KB
MD55a1e2d61baabbca3d728795fde4e20b1
SHA14d6b30c63fe9a8f4661a70e32b3593dfba991aef
SHA25693840216b598ecb738be81a66dfbb3cf5bdd2abc06af9148ea41884553e8212a
SHA512f5042e66981d04cb40bd3a9dd5aca4ec891170d2f4c7ca544605c6753f1c3bb143d0c9665a3fc4677182ebde6a13c8d68a976ff7d463750502a9a12756d42a9a
-
Filesize
182KB
MD5343b8f55f376e88674733286d027f834
SHA1466886054d5c2641ba6058f58a7a84053aa4696e
SHA256f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a
SHA512ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e
-
Filesize
2KB
MD5bc4b775a277672fc7edf956120576ecb
SHA1fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d
SHA2564ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877
SHA512f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2
-
Filesize
818KB
MD57073a8f48d526090a30c5c7e6191ca08
SHA12908951eb08202ae355a4e5a6f06076725bee725
SHA25635663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc
SHA51274705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753
-
Filesize
6KB
MD5672e6d5f89887666ec94711e442644e0
SHA18d069ae93347316eff0dcf7aff4d22da18a62af2
SHA256b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04
SHA5128fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc
-
Filesize
6KB
MD53690cef1865e32fe6be1b2ec7656539a
SHA1bc043bec63c310a60d9e242810036460c467945d
SHA256e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25
SHA512c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051
-
Filesize
4KB
MD5f1814a363433ed1e413ad7c650414c42
SHA1c0dcbe7a66f8ad0b83fd0873cb01d6b4a57a30da
SHA2562237534a7e9f656c859a5802007ff17e4649d6ffe4f30a844dae582c14de260b
SHA512a364a617806433b2895f6be7b9363117bac3bb2594496b0c32deb3e0fe0e6ab4d77c67d7295176db96a6e8cbf3eeaeeec58a1d96361cf799ee925ba5cb94373f
-
Filesize
10KB
MD5455df6f647ecc9a916e72bf2ca723fea
SHA17db54ebbdfe3e44991ea83afab5a5f4ea964afc8
SHA25600feb73b91ff4e706a01f27187b240ad24714ea99481fef5efeb919f106bcef7
SHA51285c9e5f83b047847889a1c2a4f68f562b74c489b3b6f0435139790149d38288c8f86c0b823e447827e46bbd51c943e21f460af3686786484e49d27d0d0b63c6d
-
Filesize
23.7MB
MD51f05d1d729a1537f090d201942d2051e
SHA1ed8dedda5d337082b34add0def5ae20b59f43876
SHA256b9dbb4892809f9f27d1764a158013e75607294341734f725146aa96c3e48a66c
SHA51288ac8a1417684de8284ad8862e97ec7f714cee0dc2191e8946f3ceb61f6bdee104d6b1422e0ae5d1925d73b8b3568c08b6815888d84796f958c240c400111d28
-
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4ac3c54d-dcc8-4fe6-add0-d41a7b417222}_OnDiskSnapshotProp
Filesize6KB
MD571bd0f02eb5f8b76bd90c5b844218368
SHA12c147116123d09f27357311952ac304928aa9fd2
SHA25659b0d7e441bbdca79c0acdce374b659146e7c64085b89fa3f19cee02b06e867b
SHA512dc1e5e41bf072284de7f50f0906f5b9826558bcb80d6f410a8789d88e1183cab8c043eaa5f1ea3148d2d3a928afff692c2ab0349683987fd296d5e3e587eabaa