wikiloader | 21689eafdfd6005ae75683a423b7816592cdf9aae03d983782d9272bb71787b9

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlobalProtect64.msi
Size

153.1MB
MD5

4b1733124a19056ca4301231f2e0d245
SHA1

66a1b33fde2ae3d7fae05a059c861197d87c04c1
SHA256

21689eafdfd6005ae75683a423b7816592cdf9aae03d983782d9272bb71787b9
SHA512

c2513920d48986dc595a009d782253d5456543226d6f1aebf18609e268c15c35d1ca27dc6e38072d7d206391381c136aad471a20f25565b0e00c9af43bfc72ce
SSDEEP

3145728:QJCdGkU9a6wnzYdRQ7O7rtEtBsIvCcJr9SlX2OVwji5Xv+Jb8rTnNWFdbk:Q0dGk0a6wzOK7O7rtEEIvV9ShHV/v+JG

Score

10^/10

wikiloader backdoor loader persistence privilege_escalation

Malware Config

Signatures

Wikiloader
Wikiloader is a loader and backdoor written in C++.
loader backdoor wikiloader

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET3DB0.tmp	PanGPS.exe
File created	C:\Windows\system32\DRIVERS\SET3DB0.tmp	PanGPS.exe
File opened for modification	C:\Windows\system32\DRIVERS\pangpd.sys	PanGPS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GlobalProtect = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\""	msiexec.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
6	2780	msiexec.exe
7	2780	msiexec.exe
9	2780	msiexec.exe
6	2780	msiexec.exe
9	2780	msiexec.exe
7	2780	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\SET35F2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\pangpd.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\SET35F2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF	PanGPS.exe
File created	C:\Windows\system32\PanPlapProvider.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF	PanGPS.exe
File created	C:\Windows\system32\PanCredProv.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\SET35D0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c69d2d6-9caa-5e48-bb64-0ac42ce496cc}\pangpd64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF	PanGPS.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4712	notepad.exe

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\close2.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_busy.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\license.cfg	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.inf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap2.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\res\help.chm	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.cat	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.cat	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap1.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\close1.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok_msg.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\uninstall.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanSupport.ico	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\close3.bmp	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_event.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_stop.ico	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00001.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00003.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd64.cat	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanMSAgent.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\res\Panw-Logo.png	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_fssystemrecovery.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmpsion.PNF	PanGPS.exe
File created	C:\Windows\INF\mrvlpcie8897.PNF	PanGPS.exe
File created	C:\Windows\INF\rtvdevx64.PNF	PanGPS.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\ipmidrv.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmgl005.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmgl006.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmotou.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmsier.PNF	PanGPS.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	PanGPS.exe
File created	C:\Windows\INF\rdlsbuscbs.PNF	PanGPS.exe
File created	C:\Windows\Installer\SourceHash{654C71C3-9449-4BCD-8AE3-06648507751C}	msiexec.exe
File created	C:\Windows\INF\c_smrvolume.PNF	PanGPS.exe
File created	C:\Windows\INF\fusionv2.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmaiwat.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmhandy.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmcom.PNF	PanGPS.exe
File created	C:\Windows\INF\netathrx.PNF	PanGPS.exe
File created	C:\Windows\INF\netbc64.PNF	PanGPS.exe
File created	C:\Windows\INF\prnms007.PNF	PanGPS.exe
File created	C:\Windows\INF\remoteposdrv.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmelsa.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmod.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmot64.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmnokia.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmracal.PNF	PanGPS.exe
File created	C:\Windows\INF\netwtw06.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmbsb.PNF	PanGPS.exe
File created	C:\Windows\INF\megasas2i.PNF	PanGPS.exe
File created	C:\Windows\INF\microsoft_bluetooth_hfp_ag.PNF	PanGPS.exe
File created	C:\Windows\INF\netwew01.PNF	PanGPS.exe
File created	C:\Windows\INF\PerceptionSimulationHeadset.PNF	PanGPS.exe
File created	C:\Windows\INF\c_mouse.PNF	PanGPS.exe
File created	C:\Windows\INF\c_mtd.PNF	PanGPS.exe
File created	C:\Windows\INF\microsoft_bluetooth_hfp_hf.PNF	PanGPS.exe
File created	C:\Windows\INF\netwmbclass.PNF	PanGPS.exe
File created	C:\Windows\INF\c_hidclass.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmsmart.PNF	PanGPS.exe
File created	C:\Windows\INF\netbrdg.PNF	PanGPS.exe
File created	C:\Windows\INF\oem1.PNF	PanGPS.exe
File created	C:\Windows\INF\c_display.PNF	PanGPS.exe
File created	C:\Windows\INF\c_fsencryption.PNF	PanGPS.exe
File created	C:\Windows\INF\c_scsiadapter.PNF	PanGPS.exe
File created	C:\Windows\INF\c_swcomponent.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmcpq.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmgl004.PNF	PanGPS.exe
File created	C:\Windows\INF\c_fscompression.PNF	PanGPS.exe
File created	C:\Windows\INF\hdaudss.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmct.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmtexas.PNF	PanGPS.exe
File created	C:\Windows\INF\netrtwlane01.PNF	PanGPS.exe
File created	C:\Windows\INF\netrtwlans.PNF	PanGPS.exe
File created	C:\Windows\INF\smrdisk.PNF	PanGPS.exe
File created	C:\Windows\INF\dc21x4vm.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmnttte.PNF	PanGPS.exe
File created	C:\Windows\INF\vca.PNF	PanGPS.exe
File created	C:\Windows\INF\wvmic_kvpexchange.PNF	PanGPS.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmhrtz.PNF	PanGPS.exe
File created	C:\Windows\INF\xusb22.PNF	PanGPS.exe
File created	C:\Windows\INF\ykinx64.PNF	PanGPS.exe
File created	C:\Windows\INF\btampm.PNF	PanGPS.exe
File created	C:\Windows\INF\netvf63a.PNF	PanGPS.exe

Executes dropped EXE 4 IoCs

pid	Process
4712	notepad.exe
3444	PanGPS.exe
2368	PanGPS.exe
1564	PanGPA.exe

Loads dropped DLL 6 IoCs

pid	Process
3444	PanGPS.exe
4712	notepad.exe
4712	notepad.exe
4712	notepad.exe
4712	notepad.exe
2368	PanGPS.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2780	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 51 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	PanGPS.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	PanGPS.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	PanGPS.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000"	PanGPS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000"	PanGPS.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32	PanGPS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\ = "\"URL:GlobalProtectCallback Protocol\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF\3C17C4569449DCB4A83E6046587057C1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\globalprotectcallback\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}	PanGPS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\globalprotectcallback\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\PackageName = "GlobalProtect64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ = "PanV2CredProv.dll"	PanGPS.exe
Key created	\REGISTRY\MACHINE\Software\Classes\globalprotectcallback	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Version = "100728834"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\ = "PanV2CredProv"	PanGPS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\DefaultIcon\ = "\"PanVcrediChecker.exe,1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductIcon = "C:\\Windows\\Installer\\{654C71C3-9449-4BCD-8AE3-06648507751C}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ThreadingModel = "Apartment"	PanGPS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command\ = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanVcrediChecker.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\PackageCode = "8ED1743605AD5B14B93027D29575BED3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductName = "GlobalProtect"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\URL Protocol	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3772	msiexec.exe
3772	msiexec.exe
3444	PanGPS.exe
3444	PanGPS.exe
4712	notepad.exe
4712	notepad.exe
3444	PanGPS.exe
3444	PanGPS.exe
2368	PanGPS.exe
2368	PanGPS.exe
2368	PanGPS.exe
2368	PanGPS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3532	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	3772	msiexec.exe
Token: SeCreateTokenPrivilege	2780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2780	msiexec.exe
Token: SeLockMemoryPrivilege	2780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2780	msiexec.exe
Token: SeMachineAccountPrivilege	2780	msiexec.exe
Token: SeTcbPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeLoadDriverPrivilege	2780	msiexec.exe
Token: SeSystemProfilePrivilege	2780	msiexec.exe
Token: SeSystemtimePrivilege	2780	msiexec.exe
Token: SeProfSingleProcessPrivilege	2780	msiexec.exe
Token: SeIncBasePriorityPrivilege	2780	msiexec.exe
Token: SeCreatePagefilePrivilege	2780	msiexec.exe
Token: SeCreatePermanentPrivilege	2780	msiexec.exe
Token: SeBackupPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeShutdownPrivilege	2780	msiexec.exe
Token: SeDebugPrivilege	2780	msiexec.exe
Token: SeAuditPrivilege	2780	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2780	msiexec.exe
Token: SeChangeNotifyPrivilege	2780	msiexec.exe
Token: SeRemoteShutdownPrivilege	2780	msiexec.exe
Token: SeUndockPrivilege	2780	msiexec.exe
Token: SeSyncAgentPrivilege	2780	msiexec.exe
Token: SeEnableDelegationPrivilege	2780	msiexec.exe
Token: SeManageVolumePrivilege	2780	msiexec.exe
Token: SeImpersonatePrivilege	2780	msiexec.exe
Token: SeCreateGlobalPrivilege	2780	msiexec.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeBackupPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeBackupPrivilege	2380	srtasks.exe
Token: SeRestorePrivilege	2380	srtasks.exe
Token: SeSecurityPrivilege	2380	srtasks.exe
Token: SeTakeOwnershipPrivilege	2380	srtasks.exe
Token: SeBackupPrivilege	2380	srtasks.exe
Token: SeRestorePrivilege	2380	srtasks.exe
Token: SeSecurityPrivilege	2380	srtasks.exe
Token: SeTakeOwnershipPrivilege	2380	srtasks.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2780	msiexec.exe
3532	Explorer.EXE
3532	Explorer.EXE
3532	Explorer.EXE
1564	PanGPA.exe
3532	Explorer.EXE
3532	Explorer.EXE
2780	msiexec.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3532	Explorer.EXE
3532	Explorer.EXE
3532	Explorer.EXE
1564	PanGPA.exe
3532	Explorer.EXE
3532	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4712	notepad.exe
1564	PanGPA.exe
1564	PanGPA.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3532	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2380	3772	msiexec.exe	96
PID 3772 wrote to memory of 2380	3772	msiexec.exe	96
PID 3772 wrote to memory of 4712	3772	msiexec.exe	99
PID 3772 wrote to memory of 4712	3772	msiexec.exe	99
PID 3772 wrote to memory of 3444	3772	msiexec.exe	100
PID 3772 wrote to memory of 3444	3772	msiexec.exe	100
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56
PID 4712 wrote to memory of 3532	4712	notepad.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3532
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GlobalProtect64.msi
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe
  "C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4712
- C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
  "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
PID:680
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3852

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2368
- C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe
  "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" fromGPS
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f500.rbs

Filesize
57KB

MD5
67eff5f551dc20561b422a8b35aa81b3

SHA1
d0216eb93342112d173d7c1cb589d813376bfc8b

SHA256
571730a9196f4f6ffda7dc0f2d1af2b67fb702d3238fea2237940ccada7de1f2

SHA512
70e0e283f9f17704cc95fa34d843358e43f426f525d8318531feab48408d5bcdabede4727b15d856baae3db3eb8687f1fca7154e578dc21c6081c6d208ce20ae

Download Submit
C:\PROGRA~1\PALOAL~1\GLOBAL~1\pangpd.sys

Filesize
76KB

MD5
6ca91596cfae2079ba66bfbb099f41e6

SHA1
12729569ca22d782630e988c56a6472d8cfb96aa

SHA256
9cc08f70555e3958e1676fba56b12d482ef961f8fdbba9e69db7a44f3b007a02

SHA512
f06f785aa445c1f77d6b3553d3db99c1373f99ff55505bea71763f15b62334ebe1dd77550110179942fbb44b85ee7330ee59f888e409c8600f6df7a7611b8ace

Download Submit
C:\PROGRA~1\PALOAL~1\GLOBAL~1\pangpd64.cat

Filesize
10KB

MD5
6f4e74e781e6bcf142dd838cfebb41c7

SHA1
f4943f6168827c6e6e5cb4f9e7d34b35398d66c9

SHA256
f6f9275be2da16360f7498dd1b4631f9b19fff816d8a025b0146c20572b1a1ea

SHA512
6fe8ed0041cb9e9f0ed350df512738164b1f26a475a50db2f9691e7855d6e5ae1de590cab13e190ebd66765a722b39153c90e913cfa00835c0fc3cce347baa85

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Filesize
12.7MB

MD5
67531d29184f8535d5a5bfa9b6f2dc55

SHA1
137c77d9704e089325c383aaa12be1306912b157

SHA256
f3efccf35546bb9b4167558f017171fd70756ef6b0b5c9e6ab618722c099d8de

SHA512
450df85697933102db33f55c10bfaf816f5f4b30d84b7e7ea286b6697fd21bbd80a2a39aaec1629dc5dbb999bc9d3b75f740568ddeedb144b4acd4cfebecc8c0

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Filesize
10.9MB

MD5
6cd4376e895378198b89bfb282429094

SHA1
66a4048d4af908c8774ae61645a8520711f3f98d

SHA256
ba4bc8ca267de00eb89bb485788321b873f0e0b6aeddaacab9d6b2676c10ec08

SHA512
aac34445ee9cf0a37bbb607cc495536b583a23910e02b2f588dccfb99ff58af5d550f439b4528e70ffe972ce17b9a92756fa7793e1644d590c1e474c972458d2

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll

Filesize
279KB

MD5
27a8ea702bfb4dacdd21a42257563d9f

SHA1
bce90f73a04f4fd3f854ae5b4a93e6da41e5ba63

SHA256
85a11027117d5fb33a09298f28dde22af5e859fe574b41a9bf5da1e595334a27

SHA512
ad891bc3f0626f67d482d9849384706cadc17b8688e0136aec2b9fc0cfa2203d6c8fbf3f02eb9452970a4ca66281be733e044cdea24a1d645e64e1dd9d390645

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
318B

MD5
f6a27a6265525b3e5b426dbba051e361

SHA1
505ba359dfbc33dd42988e7ce1be38d3c95855fa

SHA256
8b72bfeb1949ebcb56c799817f6a6e8b2ca207f8bb42a8a5a049318d8ce6e67a

SHA512
a946e85adac595738fd05570a6e801c4d04b3085b2ec40da0e518ed23ce014b70e32f1eb5496943b7df8d128d830319b4da26281e9e45ebd2dd993627a59e076

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
1KB

MD5
59047a2792365f9b24e7e3b6e5127d99

SHA1
6af38e562d8d4ef9480ca1ef648d0ab6c24bc27e

SHA256
bb8b331284e09a0e302072d1a59dc9a1a0c55aeaa5aea1798d6cfb384473cc9d

SHA512
7802c3abdee0a1acd4081a68a8484efc115a30a172e95b65847b3db202d300d3dbf6b2915e3599ed5e938ed38c4be7b46281a98071b416a5594e6938319e36b0

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
1KB

MD5
496eeb65086ded709e08e6a7ea63d8b5

SHA1
23729c08ef89674e7b9983b21b32abaff1d9cbe2

SHA256
a5592cbbea7b737eeca4be52fd7345dd7502503ba6564c5c239f28117e74feaa

SHA512
ef79ea8210e224ddc92e6a7501d15e7b489b86405df176fd26db1464660bbff5e4954649bb87b013b4ad13c0dede3b9557288c44933f6f8e093bb745689cd4b2

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
2KB

MD5
ae0ff3b43cd924be4879272f1b299c6f

SHA1
e7786ea61936c1e9be68b6d7f57e014e5b2f8675

SHA256
4be8279b6fd0c51f3f9ec20e67db424b545463c2f393301df201f46286a4dd1e

SHA512
35ed5e311f6dc9a4d593ca7a7c1a90500bf8ce47ed5359c4c5c26ae0950c3e40db2763a795402898f77d4f060905674ccbd8c8cc28fe9ea3a1e9844b1e6440de

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf

Filesize
4KB

MD5
fc97a101113d88276c58400bba7aaf77

SHA1
814d0c9fbdee6b3daba6d18389536fde536d3b2d

SHA256
20b44f3859a6ff1b7c644fc90ced4e7ab37ccf5cb50ec21d59a92906932a4842

SHA512
616ac0eb0bf54e4efb94b9cf1a301e8ad08f13d7477256552be616d450db84614a3a7e5376ec7d3fc11e893c38cf578eb826fbf156b17b2cf48e5004470e5bda

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\GlobalProtect.lnk

Filesize
2KB

MD5
5e55d97eb80d69416b1bb134ee231e87

SHA1
55b6b630dad53b0b5bd08d8ffe5ec62e9da9fa05

SHA256
dbd2394d133c44426dd317cc3e05ebd2f167cb7f602abebc466621baea348ba3

SHA512
0f8bf88c38a1b215ff7ac474a883fe0618cabd4c4b5e2c0505b2e80486e16b5d686fb836d8097c403fb77013bc33e06b28c1573d3327b812a02d5ace3d7d6fbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F

Filesize
1KB

MD5
f769b5c6163772e00b8520c7ee885f75

SHA1
2b876d92b132e02a06b8989becd556186263fc88

SHA256
9492b4b3ef0eb4b5d3db8c8aacc0e9f887f560b746066523cee44a7a2c097d61

SHA512
e1e026c295d1831e8a3a217785af340f4e01d6d2e4f15fd2b339bb6ca445ee080dff9827cd6d54b6e1255b1e46599574d337d557ac0c0c62da1cf197bf0478b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
fe0ac8beaebc0ba6c1eac827efd7b33c

SHA1
1b8e447b03284ebab53da2ba6f1547f7520cada2

SHA256
c835dd416199911b0cd1a2727f29007f037bf23e5fa1bef893552217243b6605

SHA512
5c23e1348b6b913259022a30d8152dfaa9652ea447e2d04f5f840dc4afaf7acefa0521fdb4d648e0a8e0c0f0b9ac6eca898fdeb78e34b063bc0e267402172599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F

Filesize
536B

MD5
f9741a91cb482ea0c92fc4e007175256

SHA1
dc07a144891ac42e19afc455e8f5084d00460199

SHA256
c4e4241c2e6fe344da70c5bff1c0626309162d5db9f7335a3ff3c53e27cbc18b

SHA512
1168397f38ec403c98b8507b238d098e347626c174e44b32d24b943b98cff80503e819a26e537887ec3a9054a4c60dd539ece01c89a66a6cfc7e061a6cf7b3fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
1b0d07806f86a6d729aaa762b9a00f1f

SHA1
f5f354fc562bbc0b10bf38ae285560d3dd497240

SHA256
6264ae380820f526d452db0c69819e9d58e5ef8d3ca289ea392634dcc8441c8e

SHA512
2ec127d9ca98434f3d6d7625c373e8a887963794d8541c424be8ded90c3a27e68dbeb5d26aca40d2383060e16be1667ae1429652f2fa5d3d4fc1d92208d40ab7

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\certificate.pem

Filesize
111KB

MD5
0354061f1966b42a95ea67339b368d3a

SHA1
c2332f191549677673c65d6f310766cb372a51f3

SHA256
f09651ea066297d14aa03603ff8fb8a7837038db8837051291121c547e7070fc

SHA512
800db5e1cab015de61b5ce9a1af99de19fed4f0737c7949fdb1c4c4ea3ff460e8b01355fa7657744b3c43f2bb80f29bbd88fbb7e5c26d477f5560a3ccd227b39

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\config.xml

Filesize
7KB

MD5
7a90522d275e13ab0813da65e9b0da43

SHA1
2bf10880d9d7f84fc761d3cd720d037f3c022c2a

SHA256
c9ecaff72fbbcdde1f7614d306fe9d6884da76557bfc9a2e498a8f97724121f9

SHA512
06394dc52ed7f55455d4a327be7155f4b2ca2e416ce1ed2cfc8a74edf088f233500d4647ac2907aea562af01a9450ccd324d97f8e4a9725781b6648ea0a9fe1e

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\contextMenu.xml

Filesize
4KB

MD5
fde4cc09d1c18c6cd7c1a4878e89d27e

SHA1
22fba21b254fed1a60da5de2b8af3cf6e132b647

SHA256
43ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425

SHA512
fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\langs.xml

Filesize
451KB

MD5
0ca5163fef9dc83b8fba4f6524fd5801

SHA1
a2a7b6d3ca67a56c9f384c74e96912ebea7262cd

SHA256
d5bfd6ae3c031de46b4bb30abe9b44dbe4caa33228946853481be1b1d23c1a6d

SHA512
7b81e6457200712f1b1beaea215fc68fea522517ba8dbaf4ab1230703da22d8ceb08e0057e60fccd076b087e9edf7c660957e4a3763c0bf906e9a6c827fac4d8

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\license_us_EN.html

Filesize
1.7MB

MD5
2f646fcc13c2c392c4af2f2d83a08a25

SHA1
9ac5faae7de79ce79cc4d8dacc078b37c7ec8874

SHA256
38ff6bcb91bd6cbceec26bc60007c60031d9f35181fbae851bd239f361cf38db

SHA512
2fe323f45990398cd7bca29c43e53611c45d08ae4f146bae6afd978d1c5ee8f4c5945c146866362e474d9e3d6f2e5c4741aea8d446a157469bf2d7424b5dbe3c

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe

Filesize
6.9MB

MD5
8279706ad64d33bf4eceb2c1becef274

SHA1
582cd15c2d1bf27da142ced63ffe490818bf4fa7

SHA256
712abdd019cd2e4d96cee74d94eafba8f21ffc35c99a656c228a179ba6f5b310

SHA512
69d5f5a2ceaa10a822d24af6c0cfba91804886c7fdb634931c2c6149dec29b98a7770fa7e3cb8630a525c088c39a84382ad30556aa9d4092e4b2e356af39cf9d

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\Config\nppPluginList.dll

Filesize
204KB

MD5
e7ab0446d3d300d93ab65dd9f94dd59b

SHA1
999f0dd30d4aa5224ade7b1bb2d4410494ee7324

SHA256
83bd50d9c6d57a58e75838e92c4d5cc61d1cc604b4db033559c756b857f267fe

SHA512
93016a843cee731c7b6195e36b218806734506e1aa44648731510962db1f8e405d1fc1952936a23340397c6b4fbb11ff0b832646970a79644042457cab3b159d

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\NppConverter\NppConverter.dll

Filesize
198KB

MD5
7ce0e43b22274d55d7c8fbe937fdd70a

SHA1
b8b42b145e0fad49c3f497dd291d95629b24bc0e

SHA256
15b522475027a659988edcd0b9efa18f2cf9d04ecf5f88d1c577eb8be1f55156

SHA512
98c40c83b9e4c7f92f83a3c8fc8974c818edadc89b1aeb59922062b514fac47be9a3cf90859ee07dc9f641066a4d65182dc6b7641c41bde55c601bf08302533e

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\NppExport\NppExport.dll

Filesize
153KB

MD5
b29065b03a282b5560464fcc657945b2

SHA1
b4f9cec583775c22ed7fbc967743df9effeb7d2a

SHA256
f235cc34e126b47847b9aa89bf5ead47948de4d190b5fe2117ae6deff47e63e6

SHA512
3872f4d85a88363c2538b41d85b6cfbfc14b1abe2b452cb9f71cbe310f53cc2522f1f072fc33853d17662a3cb39c656d698559b4a40bf5d9cffdfa11c47116d6

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\mimeTools\mimeTools.dll

Filesize
145KB

MD5
8c0a29be7fa71be3e638da1e3e5d738f

SHA1
07842ac568f779dca6dd2756c401f6a6709c1dfc

SHA256
119ecd68ab332770bcfe92a3ccdb549b0078d91cc2292bb9d02dc8aa27ca3cc3

SHA512
e2a4f7bae0a63c65c9c53fd98ac5e97fc9a363bc5656a17640b05da22c45ef76c7049cc8f66d0e7683d8f2fd615fb6a5d406aa0c6812b56d91029ce812c70909

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\session.xml

Filesize
193B

MD5
5d261612f9233dc1754c83fee2c5a854

SHA1
16f3543dcc6ed0bb3f111e6bca845fe1cd1a20ec

SHA256
52226d6d91ffe76d8aa3ce42982da9bb4881f04eb0d8d4ebb34a6e3204845901

SHA512
875bbffd4772964ada70a4cf3aab6e9f6193757dc653d2cf58642156b4b15d6a806b86b6252f6bfec503065d3f7384b248b669064327fe74a948d9c273084bba

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\shortcuts.xml

Filesize
3KB

MD5
fb573784b83033dd4361f52006d02cb8

SHA1
0a2923a44ec1bd5e7e8bc7cace15857ae03bf63c

SHA256
37a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c

SHA512
753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\shr4.dll

Filesize
145KB

MD5
5a1e2d61baabbca3d728795fde4e20b1

SHA1
4d6b30c63fe9a8f4661a70e32b3593dfba991aef

SHA256
93840216b598ecb738be81a66dfbb3cf5bdd2abc06af9148ea41884553e8212a

SHA512
f5042e66981d04cb40bd3a9dd5aca4ec891170d2f4c7ca544605c6753f1c3bb143d0c9665a3fc4677182ebde6a13c8d68a976ff7d463750502a9a12756d42a9a

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\stylers.xml

Filesize
182KB

MD5
343b8f55f376e88674733286d027f834

SHA1
466886054d5c2641ba6058f58a7a84053aa4696e

SHA256
f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a

SHA512
ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\toolbarIcons.xml

Filesize
2KB

MD5
bc4b775a277672fc7edf956120576ecb

SHA1
fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d

SHA256
4ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877

SHA512
f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\updater\gup.exe

Filesize
818KB

MD5
7073a8f48d526090a30c5c7e6191ca08

SHA1
2908951eb08202ae355a4e5a6f06076725bee725

SHA256
35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc

SHA512
74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\userDefineLangs\markdown._preinstalled.udl.xml

Filesize
6KB

MD5
672e6d5f89887666ec94711e442644e0

SHA1
8d069ae93347316eff0dcf7aff4d22da18a62af2

SHA256
b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

SHA512
8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\userDefineLangs\markdown._preinstalled_DM.udl.xml

Filesize
6KB

MD5
3690cef1865e32fe6be1b2ec7656539a

SHA1
bc043bec63c310a60d9e242810036460c467945d

SHA256
e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

SHA512
c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

Download Submit
C:\Windows\Installer\{654C71C3-9449-4BCD-8AE3-06648507751C}\_B87728FC0BC25287CF303A.exe

Filesize
4KB

MD5
f1814a363433ed1e413ad7c650414c42

SHA1
c0dcbe7a66f8ad0b83fd0873cb01d6b4a57a30da

SHA256
2237534a7e9f656c859a5802007ff17e4649d6ffe4f30a844dae582c14de260b

SHA512
a364a617806433b2895f6be7b9363117bac3bb2594496b0c32deb3e0fe0e6ab4d77c67d7295176db96a6e8cbf3eeaeeec58a1d96361cf799ee925ba5cb94373f

Download Submit
C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.PNF

Filesize
10KB

MD5
455df6f647ecc9a916e72bf2ca723fea

SHA1
7db54ebbdfe3e44991ea83afab5a5f4ea964afc8

SHA256
00feb73b91ff4e706a01f27187b240ad24714ea99481fef5efeb919f106bcef7

SHA512
85c9e5f83b047847889a1c2a4f68f562b74c489b3b6f0435139790149d38288c8f86c0b823e447827e46bbd51c943e21f460af3686786484e49d27d0d0b63c6d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
1f05d1d729a1537f090d201942d2051e

SHA1
ed8dedda5d337082b34add0def5ae20b59f43876

SHA256
b9dbb4892809f9f27d1764a158013e75607294341734f725146aa96c3e48a66c

SHA512
88ac8a1417684de8284ad8862e97ec7f714cee0dc2191e8946f3ceb61f6bdee104d6b1422e0ae5d1925d73b8b3568c08b6815888d84796f958c240c400111d28

Download Submit
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4ac3c54d-dcc8-4fe6-add0-d41a7b417222}_OnDiskSnapshotProp

Filesize
6KB

MD5
71bd0f02eb5f8b76bd90c5b844218368

SHA1
2c147116123d09f27357311952ac304928aa9fd2

SHA256
59b0d7e441bbdca79c0acdce374b659146e7c64085b89fa3f19cee02b06e867b

SHA512
dc1e5e41bf072284de7f50f0906f5b9826558bcb80d6f410a8789d88e1183cab8c043eaa5f1ea3148d2d3a928afff692c2ab0349683987fd296d5e3e587eabaa

Download Submit
memory/3532-361-0x000000000DE70000-0x000000000EAD6000-memory.dmp

Filesize
12.4MB

Download
memory/3532-339-0x000000000DE70000-0x000000000EAD6000-memory.dmp

Filesize
12.4MB

Download
memory/3532-338-0x0000000008D50000-0x0000000008D68000-memory.dmp

Filesize
96KB

Download
memory/4712-336-0x0000028B00000000-0x0000028B05F5F000-memory.dmp

Filesize
95.4MB

Download
memory/4712-337-0x0000028B7D2E0000-0x0000028B7D35B000-memory.dmp

Filesize
492KB

Download