wikiloader | 21689eafdfd6005ae75683a423b7816592cdf9aae03d983782d9272bb71787b9

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlobalProtect64.msi
Size

153.1MB
MD5

4b1733124a19056ca4301231f2e0d245
SHA1

66a1b33fde2ae3d7fae05a059c861197d87c04c1
SHA256

21689eafdfd6005ae75683a423b7816592cdf9aae03d983782d9272bb71787b9
SHA512

c2513920d48986dc595a009d782253d5456543226d6f1aebf18609e268c15c35d1ca27dc6e38072d7d206391381c136aad471a20f25565b0e00c9af43bfc72ce
SSDEEP

3145728:QJCdGkU9a6wnzYdRQ7O7rtEtBsIvCcJr9SlX2OVwji5Xv+Jb8rTnNWFdbk:Q0dGk0a6wzOK7O7rtEEIvV9ShHV/v+JG

Score

10^/10

wikiloader backdoor loader persistence privilege_escalation

Malware Config

Signatures

Wikiloader
Wikiloader is a loader and backdoor written in C++.
loader backdoor wikiloader

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET9F68.tmp	PanGPS.exe
File created	C:\Windows\system32\DRIVERS\SET9F68.tmp	PanGPS.exe
File opened for modification	C:\Windows\system32\DRIVERS\pangpd.sys	PanGPS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GlobalProtect = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\""	msiexec.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2060	msiexec.exe
8	2060	msiexec.exe
10	2060	msiexec.exe
5	2060	msiexec.exe
8	2060	msiexec.exe
10	2060	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF	PanGPS.exe
File created	C:\Windows\system32\PanCredProv.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8d93605b-8adc-c542-9f8a-5246883141f0}\pangpd.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF	PanGPS.exe
File created	C:\Windows\system32\PanPlapProvider.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8d93605b-8adc-c542-9f8a-5246883141f0}\pangpd.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8d93605b-8adc-c542-9f8a-5246883141f0}\SET9585.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8d93605b-8adc-c542-9f8a-5246883141f0}\pangpd64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\netathr10x.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF	PanGPS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_162bb49f925c6463\netwns64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF	PanGPS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF	PanGPS.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
712	notepad.exe

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_busy.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.cat	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap1.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\res\Panw-Logo.png	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.inf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\close2.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00003.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\close1.bmp	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log	PanGPS.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_event.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok_msg.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd64.cat	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_stop.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanSupport.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap2.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanMSAgent.ico	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\close3.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\res\help.chm	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi	msiexec.exe
File opened for modification	C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log	PanGPS.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.cat	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00001.bmp	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\license.cfg	msiexec.exe
File created	C:\Program Files\Palo Alto Networks\GlobalProtect\uninstall.ico	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\INF\bda.PNF	PanGPS.exe
File created	C:\Windows\INF\c_wceusbs.PNF	PanGPS.exe
File created	C:\Windows\INF\netwtw08.PNF	PanGPS.exe
File created	C:\Windows\INF\sisraid4.PNF	PanGPS.exe
File created	C:\Windows\INF\wvmic_heartbeat.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmgl008.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmnokia.PNF	PanGPS.exe
File created	C:\Windows\INF\rdcameradriver.PNF	PanGPS.exe
File created	C:\Windows\INF\rspndr.PNF	PanGPS.exe
File created	C:\Windows\INF\wave.PNF	PanGPS.exe
File created	C:\Windows\INF\wvmic_ext.PNF	PanGPS.exe
File created	C:\Windows\Installer\e585a31.msi	msiexec.exe
File created	C:\Windows\INF\c_linedisplay.PNF	PanGPS.exe
File created	C:\Windows\INF\c_tapedrive.PNF	PanGPS.exe
File created	C:\Windows\INF\eaphost.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmsmart.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmsonyu.PNF	PanGPS.exe
File created	C:\Windows\INF\netl160a.PNF	PanGPS.exe
File created	C:\Windows\INF\netwsw00.PNF	PanGPS.exe
File created	C:\Windows\INF\wstorvsc.PNF	PanGPS.exe
File created	C:\Windows\INF\wvmbusvideo.PNF	PanGPS.exe
File created	C:\Windows\INF\c_cdrom.PNF	PanGPS.exe
File created	C:\Windows\INF\hidbthle.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmcd.PNF	PanGPS.exe
File created	C:\Windows\INF\netwew01.PNF	PanGPS.exe
File created	C:\Windows\INF\pnpxinternetgatewaydevices.PNF	PanGPS.exe
File created	C:\Windows\INF\c_extension.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmetri.PNF	PanGPS.exe
File created	C:\Windows\INF\xusb22.PNF	PanGPS.exe
File created	C:\Windows\INF\bthmtpenum.PNF	PanGPS.exe
File created	C:\Windows\INF\c_dot4print.PNF	PanGPS.exe
File created	C:\Windows\INF\dc21x4vm.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmaus.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmmod.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmrock3.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmsupr3.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmtkr.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmatm2k.PNF	PanGPS.exe
File created	C:\Windows\INF\rndiscmp.PNF	PanGPS.exe
File created	C:\Windows\INF\c_scmvolume.PNF	PanGPS.exe
File created	C:\Windows\INF\c_ports.PNF	PanGPS.exe
File created	C:\Windows\INF\c_smrdisk.PNF	PanGPS.exe
File created	C:\Windows\INF\megasas35i.PNF	PanGPS.exe
File created	C:\Windows\INF\microsoft_bluetooth_a2dp_src.PNF	PanGPS.exe
File created	C:\Windows\INF\netnvm64.PNF	PanGPS.exe
File created	C:\Windows\INF\netr28ux.PNF	PanGPS.exe
File created	C:\Windows\INF\heat.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmgl002.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmjf56e.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmzyp.PNF	PanGPS.exe
File created	C:\Windows\INF\netelx.PNF	PanGPS.exe
File created	C:\Windows\INF\netjme.PNF	PanGPS.exe
File created	C:\Windows\INF\percsas3i.PNF	PanGPS.exe
File created	C:\Windows\INF\rtvdevx64.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmcomp.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmomrn3.PNF	PanGPS.exe
File created	C:\Windows\INF\ts_generic.PNF	PanGPS.exe
File created	C:\Windows\INF\ts_wpdmtp.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmcom1.PNF	PanGPS.exe
File created	C:\Windows\INF\mdmsier.PNF	PanGPS.exe
File created	C:\Windows\INF\netpgm.PNF	PanGPS.exe
File created	C:\Windows\INF\prnms011.PNF	PanGPS.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	PanGPS.exe
File created	C:\Windows\INF\c_pcmcia.PNF	PanGPS.exe

Executes dropped EXE 4 IoCs

pid	Process
712	notepad.exe
1300	PanGPS.exe
3024	PanGPS.exe
2008	PanGPA.exe

Loads dropped DLL 5 IoCs

pid	Process
1300	PanGPS.exe
712	notepad.exe
712	notepad.exe
712	notepad.exe
3024	PanGPS.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2060	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 51 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	PanGPS.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	PanGPS.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	PanGPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	PanGPS.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	PanGPS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	PanGPS.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000"	PanGPS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PanGPA.exe = "11000"	PanGPS.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	DrvInst.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\ = "\"URL:GlobalProtectCallback Protocol\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command\ = "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanVcrediChecker.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ThreadingModel = "Apartment"	PanGPS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductName = "GlobalProtect"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\globalprotectcallback\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\DefaultIcon\ = "\"PanVcrediChecker.exe,1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\globalprotectcallback	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\globalprotectcallback\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\PackageCode = "8ED1743605AD5B14B93027D29575BED3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\ProductIcon = "C:\\Windows\\Installer\\{654C71C3-9449-4BCD-8AE3-06648507751C}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32	PanGPS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C17C4569449DCB4A83E6046587057C1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\PackageName = "GlobalProtect64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\ = "PanV2CredProv"	PanGPS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}\InprocServer32\ = "PanV2CredProv.dll"	PanGPS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\globalprotectcallback	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\Version = "100728834"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C17C4569449DCB4A83E6046587057C1\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A976D99B5ABAF004E800A314369F16EF\3C17C4569449DCB4A83E6046587057C1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25CA8579-1BD8-469c-B9FC-6AC45A161C18}	PanGPS.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4620	msiexec.exe
4620	msiexec.exe
1300	PanGPS.exe
1300	PanGPS.exe
712	notepad.exe
712	notepad.exe
1300	PanGPS.exe
1300	PanGPS.exe
3024	PanGPS.exe
3024	PanGPS.exe
3024	PanGPS.exe
3024	PanGPS.exe
3024	PanGPS.exe
3024	PanGPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2060	msiexec.exe
Token: SeSecurityPrivilege	4620	msiexec.exe
Token: SeCreateTokenPrivilege	2060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2060	msiexec.exe
Token: SeLockMemoryPrivilege	2060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2060	msiexec.exe
Token: SeMachineAccountPrivilege	2060	msiexec.exe
Token: SeTcbPrivilege	2060	msiexec.exe
Token: SeSecurityPrivilege	2060	msiexec.exe
Token: SeTakeOwnershipPrivilege	2060	msiexec.exe
Token: SeLoadDriverPrivilege	2060	msiexec.exe
Token: SeSystemProfilePrivilege	2060	msiexec.exe
Token: SeSystemtimePrivilege	2060	msiexec.exe
Token: SeProfSingleProcessPrivilege	2060	msiexec.exe
Token: SeIncBasePriorityPrivilege	2060	msiexec.exe
Token: SeCreatePagefilePrivilege	2060	msiexec.exe
Token: SeCreatePermanentPrivilege	2060	msiexec.exe
Token: SeBackupPrivilege	2060	msiexec.exe
Token: SeRestorePrivilege	2060	msiexec.exe
Token: SeShutdownPrivilege	2060	msiexec.exe
Token: SeDebugPrivilege	2060	msiexec.exe
Token: SeAuditPrivilege	2060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2060	msiexec.exe
Token: SeChangeNotifyPrivilege	2060	msiexec.exe
Token: SeRemoteShutdownPrivilege	2060	msiexec.exe
Token: SeUndockPrivilege	2060	msiexec.exe
Token: SeSyncAgentPrivilege	2060	msiexec.exe
Token: SeEnableDelegationPrivilege	2060	msiexec.exe
Token: SeManageVolumePrivilege	2060	msiexec.exe
Token: SeImpersonatePrivilege	2060	msiexec.exe
Token: SeCreateGlobalPrivilege	2060	msiexec.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeBackupPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeBackupPrivilege	2888	srtasks.exe
Token: SeRestorePrivilege	2888	srtasks.exe
Token: SeSecurityPrivilege	2888	srtasks.exe
Token: SeTakeOwnershipPrivilege	2888	srtasks.exe
Token: SeBackupPrivilege	2888	srtasks.exe
Token: SeRestorePrivilege	2888	srtasks.exe
Token: SeSecurityPrivilege	2888	srtasks.exe
Token: SeTakeOwnershipPrivilege	2888	srtasks.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2060	msiexec.exe
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
2008	PanGPA.exe
3428	Explorer.EXE
3428	Explorer.EXE
2060	msiexec.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
3428	Explorer.EXE
2008	PanGPA.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
712	notepad.exe
2008	PanGPA.exe
2008	PanGPA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2888	4620	msiexec.exe	97
PID 4620 wrote to memory of 2888	4620	msiexec.exe	97
PID 4620 wrote to memory of 712	4620	msiexec.exe	100
PID 4620 wrote to memory of 712	4620	msiexec.exe	100
PID 4620 wrote to memory of 1300	4620	msiexec.exe	102
PID 4620 wrote to memory of 1300	4620	msiexec.exe	102
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56
PID 712 wrote to memory of 3428	712	notepad.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GlobalProtect64.msi
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe
  "C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:712
- C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
  "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
PID:1352
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000148" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2712

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3024
- C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe
  "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" fromGPS
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585a32.rbs

Filesize
57KB

MD5
7116a7fb22e42b4bd5ade3da26944824

SHA1
3b8abd844f8c1dccf3e9160e418b6243188c7c8a

SHA256
31c84477b18dde293d28351ab94cfa825a7ad6a34f33f214dc7c971be88f5539

SHA512
6bee2b77b00f2c9b0451d3f4bd9ca8fb688c7b0b636030ab1862374abf9d62bf3d3759cb3a3400707e83058937292f0828bee9513607ac33f86e1162d4a3739d

Download Submit
C:\PROGRA~1\PALOAL~1\GLOBAL~1\pangpd.sys

Filesize
76KB

MD5
6ca91596cfae2079ba66bfbb099f41e6

SHA1
12729569ca22d782630e988c56a6472d8cfb96aa

SHA256
9cc08f70555e3958e1676fba56b12d482ef961f8fdbba9e69db7a44f3b007a02

SHA512
f06f785aa445c1f77d6b3553d3db99c1373f99ff55505bea71763f15b62334ebe1dd77550110179942fbb44b85ee7330ee59f888e409c8600f6df7a7611b8ace

Download Submit
C:\PROGRA~1\PALOAL~1\GLOBAL~1\pangpd64.cat

Filesize
10KB

MD5
6f4e74e781e6bcf142dd838cfebb41c7

SHA1
f4943f6168827c6e6e5cb4f9e7d34b35398d66c9

SHA256
f6f9275be2da16360f7498dd1b4631f9b19fff816d8a025b0146c20572b1a1ea

SHA512
6fe8ed0041cb9e9f0ed350df512738164b1f26a475a50db2f9691e7855d6e5ae1de590cab13e190ebd66765a722b39153c90e913cfa00835c0fc3cce347baa85

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Filesize
12.7MB

MD5
67531d29184f8535d5a5bfa9b6f2dc55

SHA1
137c77d9704e089325c383aaa12be1306912b157

SHA256
f3efccf35546bb9b4167558f017171fd70756ef6b0b5c9e6ab618722c099d8de

SHA512
450df85697933102db33f55c10bfaf816f5f4b30d84b7e7ea286b6697fd21bbd80a2a39aaec1629dc5dbb999bc9d3b75f740568ddeedb144b4acd4cfebecc8c0

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Filesize
10.9MB

MD5
6cd4376e895378198b89bfb282429094

SHA1
66a4048d4af908c8774ae61645a8520711f3f98d

SHA256
ba4bc8ca267de00eb89bb485788321b873f0e0b6aeddaacab9d6b2676c10ec08

SHA512
aac34445ee9cf0a37bbb607cc495536b583a23910e02b2f588dccfb99ff58af5d550f439b4528e70ffe972ce17b9a92756fa7793e1644d590c1e474c972458d2

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll

Filesize
279KB

MD5
27a8ea702bfb4dacdd21a42257563d9f

SHA1
bce90f73a04f4fd3f854ae5b4a93e6da41e5ba63

SHA256
85a11027117d5fb33a09298f28dde22af5e859fe574b41a9bf5da1e595334a27

SHA512
ad891bc3f0626f67d482d9849384706cadc17b8688e0136aec2b9fc0cfa2203d6c8fbf3f02eb9452970a4ca66281be733e044cdea24a1d645e64e1dd9d390645

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
318B

MD5
6bdb02b3374380e40c0335a4bb319a5e

SHA1
ae4c5ccd3e022cdcc4921428849437d871c81eaa

SHA256
8ce00da0fe77e562bb277ccb0bdce6c341a5cddcc02b9b6743100a517c99e3c2

SHA512
92772a57d115ba5d6200b6405b5429ccfecbd0d877ae58c1b3a7de8b534a5fa8401fa82bad519bac68bfe31526c5d14b63c56af8d542208b8cbc28d03671ae25

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
1KB

MD5
84b26fa66cf68e24725b0b04afe818d8

SHA1
ff813248ae19bfe59a74fab744bb44236e4c7c8c

SHA256
6cd9d11c4f0c5a7986e886b475eabcced83131fdbc45d07dc313fdaa395a80ce

SHA512
895f70cc1044a8074f434158b595027fa819813903b881833a374dc8b8bce06cfee5cf94c24de00b249378b67b42072559381b2030daa767707a940fafe53067

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

Filesize
2KB

MD5
d085748fae9dc822e6fa9eaa388e93b5

SHA1
b4dcb007fb978547d3b48b71f3052f600e5d45e1

SHA256
c0a5838bfd02a0bbf0ea29f279d7680278a3708fb73e85a214db2979f7a5146b

SHA512
cd9ab0c28cf6cc16d7ef664e30c35160237280404df4872a43211aed2e6f4bc152fb6cf4a5924c795d59f52bc39fb5854233c7571b7ed25e0a99111a7219257f

Download Submit
C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf

Filesize
4KB

MD5
fc97a101113d88276c58400bba7aaf77

SHA1
814d0c9fbdee6b3daba6d18389536fde536d3b2d

SHA256
20b44f3859a6ff1b7c644fc90ced4e7ab37ccf5cb50ec21d59a92906932a4842

SHA512
616ac0eb0bf54e4efb94b9cf1a301e8ad08f13d7477256552be616d450db84614a3a7e5376ec7d3fc11e893c38cf578eb826fbf156b17b2cf48e5004470e5bda

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\GlobalProtect.lnk

Filesize
2KB

MD5
b4862c5fae9d2c66917cf46209a078c8

SHA1
75cb3b4c3a3037c11aca4480829e8c5e42636e5a

SHA256
ee5745e0d2e1b1a6257f6172a7daa439bed4180dd19ca1f3d144b10eefc6ab72

SHA512
3212e16d9160a31f46f8c07a9ebfee2a9b77bd20b8a4b0d2e84fa583106efdbf33bcbe97d0d5289ef79fbcc1920318a08e7cf8ca5549d08f3fc9fb4f8e0169f7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\PanGPSupport.lnk

Filesize
2KB

MD5
514b079680fccb063fa46f8049db310f

SHA1
07bf1cc36b42e6bd6f03b5c27ef076641d6e7a85

SHA256
44a37400763ac9e00e14a62e012896ae589792063f95d0f139124d7577e947b0

SHA512
2050bc252d330722fa8a21dcea3711fd2384c2876ff646370b264be9fd07ec4d40cc57c879ce730ae0de970d157d04669180134f0a72d5d78599b5c8f125bea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F

Filesize
1KB

MD5
6fe76b3f3155ce25d23930ccac287818

SHA1
22841ffaaec4bb8f1178a36f4907a8d325b37607

SHA256
42572bfc088bde722ac0f1d531f3a96f1b0faccefec5bd43d97e17ecb987b79d

SHA512
b61d3fa68c225bb2cc60690d46876bc1e2ab9f78ea26a1389900a08ca22e47b96db4d4423c71ac89791090ceefdbc3564a0106c77eb8fc99a84585b66c99b4d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
4dd99ea0756fffcac9076123a88161d1

SHA1
19dee3a2ca000eb226279dad6d065086df66cb63

SHA256
a4a74c501a507acf6aefc75068600417bba3ea99490f2fd9c2d1eef7fae917fc

SHA512
41c4989f0173e2cd0ad744836e8b6d9ba61e8f7cbd4080ce41016d4a243297a082f1473b096d8521ca4fc4b912f726dee93847c1cffc144c0679d1608bbc8ef6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F

Filesize
536B

MD5
874c21fb66fcd6262b5c1638245af97d

SHA1
7450c61b72e9f907360b438a09151221b73d15b4

SHA256
20cc0bb192428f51d43e962700cb0386bda287c55e3ddafba2037e5563bdd022

SHA512
e4738b9112fe6e19be34d1354f6aabff8c4d481c8823fede28f96e0f5eba4008d9bdaeb4359129ac7f626277d4a37f2b36ba820d7e8edbfad1b022f7efe9a0b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
2ab27fa99100baa3d1a3a2606d442be5

SHA1
24e23617d95b32ba4c6e63f307c2f0897eb01675

SHA256
cbc2f3be1be87e2e7cbeee8ddf2b32bb1bc7ba063db1a69df1f4a0e570d7b534

SHA512
9b3a376d4766940fcf351b75c6619c2b0eeaa5faf3c9b7ad58ece2527e906eb30df4675f7e2321174d4be2af8f19890df43865b7d4afbfff08880d9a2971a5a4

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\certificate.pem

Filesize
111KB

MD5
0354061f1966b42a95ea67339b368d3a

SHA1
c2332f191549677673c65d6f310766cb372a51f3

SHA256
f09651ea066297d14aa03603ff8fb8a7837038db8837051291121c547e7070fc

SHA512
800db5e1cab015de61b5ce9a1af99de19fed4f0737c7949fdb1c4c4ea3ff460e8b01355fa7657744b3c43f2bb80f29bbd88fbb7e5c26d477f5560a3ccd227b39

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\config.xml

Filesize
7KB

MD5
7a90522d275e13ab0813da65e9b0da43

SHA1
2bf10880d9d7f84fc761d3cd720d037f3c022c2a

SHA256
c9ecaff72fbbcdde1f7614d306fe9d6884da76557bfc9a2e498a8f97724121f9

SHA512
06394dc52ed7f55455d4a327be7155f4b2ca2e416ce1ed2cfc8a74edf088f233500d4647ac2907aea562af01a9450ccd324d97f8e4a9725781b6648ea0a9fe1e

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\contextMenu.xml

Filesize
4KB

MD5
fde4cc09d1c18c6cd7c1a4878e89d27e

SHA1
22fba21b254fed1a60da5de2b8af3cf6e132b647

SHA256
43ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425

SHA512
fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\langs.xml

Filesize
451KB

MD5
0ca5163fef9dc83b8fba4f6524fd5801

SHA1
a2a7b6d3ca67a56c9f384c74e96912ebea7262cd

SHA256
d5bfd6ae3c031de46b4bb30abe9b44dbe4caa33228946853481be1b1d23c1a6d

SHA512
7b81e6457200712f1b1beaea215fc68fea522517ba8dbaf4ab1230703da22d8ceb08e0057e60fccd076b087e9edf7c660957e4a3763c0bf906e9a6c827fac4d8

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\license_us_EN.html

Filesize
1.7MB

MD5
2f646fcc13c2c392c4af2f2d83a08a25

SHA1
9ac5faae7de79ce79cc4d8dacc078b37c7ec8874

SHA256
38ff6bcb91bd6cbceec26bc60007c60031d9f35181fbae851bd239f361cf38db

SHA512
2fe323f45990398cd7bca29c43e53611c45d08ae4f146bae6afd978d1c5ee8f4c5945c146866362e474d9e3d6f2e5c4741aea8d446a157469bf2d7424b5dbe3c

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe

Filesize
6.9MB

MD5
8279706ad64d33bf4eceb2c1becef274

SHA1
582cd15c2d1bf27da142ced63ffe490818bf4fa7

SHA256
712abdd019cd2e4d96cee74d94eafba8f21ffc35c99a656c228a179ba6f5b310

SHA512
69d5f5a2ceaa10a822d24af6c0cfba91804886c7fdb634931c2c6149dec29b98a7770fa7e3cb8630a525c088c39a84382ad30556aa9d4092e4b2e356af39cf9d

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\Config\nppPluginList.dll

Filesize
204KB

MD5
e7ab0446d3d300d93ab65dd9f94dd59b

SHA1
999f0dd30d4aa5224ade7b1bb2d4410494ee7324

SHA256
83bd50d9c6d57a58e75838e92c4d5cc61d1cc604b4db033559c756b857f267fe

SHA512
93016a843cee731c7b6195e36b218806734506e1aa44648731510962db1f8e405d1fc1952936a23340397c6b4fbb11ff0b832646970a79644042457cab3b159d

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\NppConverter\NppConverter.dll

Filesize
198KB

MD5
7ce0e43b22274d55d7c8fbe937fdd70a

SHA1
b8b42b145e0fad49c3f497dd291d95629b24bc0e

SHA256
15b522475027a659988edcd0b9efa18f2cf9d04ecf5f88d1c577eb8be1f55156

SHA512
98c40c83b9e4c7f92f83a3c8fc8974c818edadc89b1aeb59922062b514fac47be9a3cf90859ee07dc9f641066a4d65182dc6b7641c41bde55c601bf08302533e

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\NppExport\NppExport.dll

Filesize
153KB

MD5
b29065b03a282b5560464fcc657945b2

SHA1
b4f9cec583775c22ed7fbc967743df9effeb7d2a

SHA256
f235cc34e126b47847b9aa89bf5ead47948de4d190b5fe2117ae6deff47e63e6

SHA512
3872f4d85a88363c2538b41d85b6cfbfc14b1abe2b452cb9f71cbe310f53cc2522f1f072fc33853d17662a3cb39c656d698559b4a40bf5d9cffdfa11c47116d6

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\mimeTools\mimeTools.dll

Filesize
145KB

MD5
8c0a29be7fa71be3e638da1e3e5d738f

SHA1
07842ac568f779dca6dd2756c401f6a6709c1dfc

SHA256
119ecd68ab332770bcfe92a3ccdb549b0078d91cc2292bb9d02dc8aa27ca3cc3

SHA512
e2a4f7bae0a63c65c9c53fd98ac5e97fc9a363bc5656a17640b05da22c45ef76c7049cc8f66d0e7683d8f2fd615fb6a5d406aa0c6812b56d91029ce812c70909

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\session.xml

Filesize
193B

MD5
5d261612f9233dc1754c83fee2c5a854

SHA1
16f3543dcc6ed0bb3f111e6bca845fe1cd1a20ec

SHA256
52226d6d91ffe76d8aa3ce42982da9bb4881f04eb0d8d4ebb34a6e3204845901

SHA512
875bbffd4772964ada70a4cf3aab6e9f6193757dc653d2cf58642156b4b15d6a806b86b6252f6bfec503065d3f7384b248b669064327fe74a948d9c273084bba

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\shortcuts.xml

Filesize
3KB

MD5
fb573784b83033dd4361f52006d02cb8

SHA1
0a2923a44ec1bd5e7e8bc7cace15857ae03bf63c

SHA256
37a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c

SHA512
753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\shr4.dll

Filesize
145KB

MD5
5a1e2d61baabbca3d728795fde4e20b1

SHA1
4d6b30c63fe9a8f4661a70e32b3593dfba991aef

SHA256
93840216b598ecb738be81a66dfbb3cf5bdd2abc06af9148ea41884553e8212a

SHA512
f5042e66981d04cb40bd3a9dd5aca4ec891170d2f4c7ca544605c6753f1c3bb143d0c9665a3fc4677182ebde6a13c8d68a976ff7d463750502a9a12756d42a9a

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\stylers.xml

Filesize
182KB

MD5
343b8f55f376e88674733286d027f834

SHA1
466886054d5c2641ba6058f58a7a84053aa4696e

SHA256
f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a

SHA512
ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\toolbarIcons.xml

Filesize
2KB

MD5
bc4b775a277672fc7edf956120576ecb

SHA1
fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d

SHA256
4ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877

SHA512
f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\updater\gup.exe

Filesize
818KB

MD5
7073a8f48d526090a30c5c7e6191ca08

SHA1
2908951eb08202ae355a4e5a6f06076725bee725

SHA256
35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc

SHA512
74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\userDefineLangs\markdown._preinstalled.udl.xml

Filesize
6KB

MD5
672e6d5f89887666ec94711e442644e0

SHA1
8d069ae93347316eff0dcf7aff4d22da18a62af2

SHA256
b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

SHA512
8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

Download Submit
C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\userDefineLangs\markdown._preinstalled_DM.udl.xml

Filesize
6KB

MD5
3690cef1865e32fe6be1b2ec7656539a

SHA1
bc043bec63c310a60d9e242810036460c467945d

SHA256
e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

SHA512
c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

Download Submit
C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.PNF

Filesize
10KB

MD5
13e8aff9199dd47bb60983d2e3ec4d5d

SHA1
53be7c881959cb17c266c325a9601cc9784b1b20

SHA256
b5c691c3351a77a196ce6dfa41fe65a521874dbef5881e9cbc2962bd4cdab4f2

SHA512
0059100363dcd1f7d7738271571f9eaba2ee6a7d05b46ab74e15c8f29b3e9960b4cd573e54df35576eb3f26b723973d469de774f09ac41af7fbeeca80c4db5df

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
22750bfe361b1ab36ccf2ff7099f37ee

SHA1
a98ca5d509e1e5c5b90169262e2ef176a5fb5a97

SHA256
77df0c18fdc5be137c4c2bc73d5973ec149b0eb958a5baddf85f8888eb3a8c98

SHA512
88f5f954a37b67b24b8bbea53e4a2deb2ee3963537db8be822373880136aa30577b4d4e6f220d83c522b2f1b3b1c6a94ee6a88e5c6b0ee6132ef64b85fb1bad7

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5ddf7c7f-3b3a-4346-b6a6-35f09ab89048}_OnDiskSnapshotProp

Filesize
6KB

MD5
0a9ba63cb87140e8ef499423cdd6b65e

SHA1
0868bb0b0ff13e6976586283dccba137c0549ccd

SHA256
e63fbfcdde63f4d8a80324a38ee46216f82d4cec29a8460c3d74b867480467bc

SHA512
bf7c69debc3934591a1916e08a03bccf6c12539805ce453b002c5bcacb48df0ad7c5f016b2a77d38393220e105bf48f14c72b7e2a38c6d54fa84137779957d41

Download Submit
memory/712-337-0x0000017E21620000-0x0000017E2757F000-memory.dmp

Filesize
95.4MB

Download
memory/712-338-0x0000017E21290000-0x0000017E2130B000-memory.dmp

Filesize
492KB

Download
memory/3428-371-0x000000000DAD0000-0x000000000E736000-memory.dmp

Filesize
12.4MB

Download
memory/3428-339-0x0000000008880000-0x0000000008898000-memory.dmp

Filesize
96KB

Download
memory/3428-340-0x000000000DAD0000-0x000000000E736000-memory.dmp

Filesize
12.4MB

Download