Windows Analysis Report
veraport-g3-x64.exe

Overview

General Information

Sample name:	veraport-g3-x64.exe
Analysis ID:	1544106
MD5:	c9207ccbdef51cada0bc0402c6f1623c
SHA1:	28f3530f6fa7cf504f126b2270c40be3bcc9eea9
SHA256:	7734b2849f3efc85344db57c3c91376601b1f993b3aa18cbcd83473a37d80f17
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Installs new ROOT certificates

Modifies the windows firewall

Overwrites Mozilla Firefox settings

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Adds / modifies Windows certificates

Changes image file execution options

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmp	ReversingLabs: Detection: 25%

Uses 32bit PE files

Source: veraport-g3-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txt

Jump to behavior

Source: veraport-g3-x64.exe

Static PE information: certificate valid

Source:	Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp, wizveraregsvr.exe, 00000013.00000000.2363487958.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: msvcr120.i386.pdb source: certutil.exe, 00000018.00000002.3263802690.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001A.00000002.3276531657.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001C.00000002.3282095622.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001E.00000002.3297710179.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000020.00000002.3303674504.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000022.00000002.3307695415.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000024.00000002.3312291213.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000026.00000002.3324453102.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000028.00000002.3332121105.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002A.00000002.3341341268.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002C.00000002.3349057425.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002E.00000002.3360358812.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp

Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3276165588.0000000000960000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3276165588.0000000000960000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.wizvera.com/help/faq/killprocess.html
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.wizvera.com/help/faq/killprocess.htmlInvalid
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.gl9j
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0A
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocspcnnicroot.cnnic.cn0;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globa
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://veraport.wizvera.com/agreement.html
Source: regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vp.wizvera.com/vp-policy/
Source: regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vp.wizvera.com/vp-policy/origin
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cnnic.cn/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cnnic.cn/download/cert/CNNICROOT.cer0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: veraport-g3-x64.exe, 00000000.00000000.2089525757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: certutil.exe, 0000002E.00000002.3361348979.000000006F913000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3266301327.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001A.00000002.3276943131.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001C.00000002.3282538212.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001E.00000002.3298134524.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000020.00000002.3303948438.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000022.00000002.3308224650.000000006F8EF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000024.00000002.3313056413.000000006F82F000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000026.00000002.3326618235.000000006F82F000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000028.00000002.3332521951.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002A.00000002.3341706577.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002C.00000002.3349349962.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002E.00000002.3360748655.000000006F8CF000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)Digital
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.2092405915.00000000031A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wizvera.com
Source: veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wizvera.com1
Source: veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3506929488.0000000002311000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wizvera.comq
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp, wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://://80:http://https://.?
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/projects/nspr
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/projects/nss
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs

Potential key logger detected (key state polling based)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E23B090 GetKeyState,GetKeyState,GetKeyState,SendMessageW,

19_2_00007FF69E23B090

System Summary

PE file contains section with special chars

Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24CFA0	19_2_00007FF69E24CFA0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E2497C8	19_2_00007FF69E2497C8
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24C070	19_2_00007FF69E24C070
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24D858	19_2_00007FF69E24D858
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245060	19_2_00007FF69E245060
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E23D084	19_2_00007FF69E23D084
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24FDB0	19_2_00007FF69E24FDB0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245D84	19_2_00007FF69E245D84
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E250E78	19_2_00007FF69E250E78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24F4B4	19_2_00007FF69E24F4B4
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24895C	19_2_00007FF69E24895C
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E249B2C	19_2_00007FF69E249B2C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy) 1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp 89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3

PE file contains executable resources (Code or Archives)

Source: veraport-g3-x64.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: veraport-g3-x64.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-HRCVV.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-HRCVV.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: wpmsvcsetup.tmp.52.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wpmsvcsetup.tmp.52.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-RGLV1.tmp.53.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-RGLV1.tmp.53.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002474000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe
Source: veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FE40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe

Uses 32bit PE files

Source: veraport-g3-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: veraport20unloader.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9985067851681957
Source: veraport20unloader.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9925608915441176
Source: veraport20unloader.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9947706653225806
Source: is-E859V.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9933246906841339
Source: is-E859V.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.002685546875
Source: is-3MSD8.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9923944887907609
Source: is-3MSD8.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.990234375
Source: is-N4BK0.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9985067851681957
Source: is-N4BK0.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9925608915441176
Source: is-N4BK0.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9947706653225806
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.0002991272522523
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9984319982394366
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.0030691964285714
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9918981481481481
Source: is-G2UQK.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.0000887273576768
Source: is-G2UQK.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9914315562707641
Source: is-G2UQK.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.000244140625

Source: certutil.exe, 0000001A.00000003.3273962927.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273515690.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273021020.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274084000.000000000056D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: .VbP.Vb

Source: classification engine

Classification label: mal52.phis.spyw.evad.winEXE@106/99@0/0

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E231760 LoadResource,LockResource,SizeofResource,

19_2_00007FF69E231760

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Program Files\Wizvera

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Mutant created: \Sessions\1\BaseNamedObjects\{24D4C5E4-B2DA-43BC-99D8-8D4F9E6A3E1E}_x64
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: C:\Users\user\Desktop\veraport-g3-x64.exe

File created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp

Jump to behavior

Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport-x64.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraportmain20.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "verainagent.exe")

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\veraport-g3-x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace536359 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3355441278.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3356240335.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358406468.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a82 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: certutil.exe, 00000026.00000003.3318509911.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322233485.0000000000800000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320180392.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318774813.00000000007EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a80,a0,a101,a81,a1,a2,a82,a102,a3,a170,a11) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10);
Source: certutil.exe, 0000001E.00000003.3291539929.000000000189B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294882023.000000000189C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297627456.000000000189C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a81=$DATA1 AND a82=$DATA2;
Source: certutil.exe, 00000026.00000003.3318509911.00000000007F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a80,a0,a101,a81,a1,a2,a82,a102,a3,a170,a11) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10);FW
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a102 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001E.00000003.3293943793.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294192222.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295031712.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295340077.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297378533.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292755948.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288320877.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320725032.0000000000807000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322292077.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318509911.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319013052.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);f
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275441111.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294192222.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295031712.00000000015B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPrivate WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a11 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace5363b4 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace53635b FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a0,a1,a2,a3,a81,a82,a170,ace536358,ace536359,ace53635a,ace53635b,ace536360,ace5363b4,ace5363b5) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);N
Source: certutil.exe, 0000001E.00000002.3296931904.0000000001508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData LIMIT 0;
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a0,a1,a2,a3,a81,a82,a170,ace536358,ace536359,ace53635a,ace53635b,ace536360,ace5363b4,ace5363b5) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace53635a FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a0 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a101 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace536360 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: certutil.exe, 00000026.00000002.3321760567.0000000000758000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic LIMIT 0;
Source: certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3355441278.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3356240335.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358406468.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a1 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: certutil.exe, 0000001A.00000003.3271492811.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.000000000058F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274115248.000000000058F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a81 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275441111.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 00000026.00000003.3320725032.0000000000807000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322292077.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319013052.0000000000802000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318774813.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320795318.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace536358 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a80 FROM nssPublic WHERE id=$ID;

Source: C:\Users\user\Desktop\veraport-g3-x64.exe

File read: C:\Users\user\Desktop\veraport-g3-x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\veraport-g3-x64.exe "C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Windows\System32\CheckNetIsolation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc

Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: veraport20.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1

Jump to behavior

Source: veraport-g3-x64.exe

Static PE information: certificate valid

Source: veraport-g3-x64.exe

Static file information: File size 30041304 > 1048576

Source:	Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp, wizveraregsvr.exe, 00000013.00000000.2363487958.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: msvcr120.i386.pdb source: certutil.exe, 00000018.00000002.3263802690.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001A.00000002.3276531657.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001C.00000002.3282095622.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001E.00000002.3297710179.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000020.00000002.3303674504.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000022.00000002.3307695415.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000024.00000002.3312291213.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000026.00000002.3324453102.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000028.00000002.3332121105.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002A.00000002.3341341268.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002C.00000002.3349057425.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002E.00000002.3360358812.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E23A800 GetModuleHandleW,LoadLibraryW,GetProcAddress,

19_2_00007FF69E23A800

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

PE file contains sections with non-standard names

Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name: .themida
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name: .themida
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name: .themida
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name: .themida
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name: .themida
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name: .themida
Source: is-LNJSQ.tmp.53.dr	Static PE information: section name: .themida
Source: is-E4U10.tmp.53.dr	Static PE information: section name: .themida

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00D11A12 pushfd ; ret	18_2_00D11A13
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CFCD92 pushfd ; ret	18_2_00CFCD93
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00D08B63 push es; iretd	18_2_00D08BE2
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00D0E928 pushfd ; iretd	18_2_00D0E96A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CED6C8 push es; iretd	18_2_00CED6DA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF16D0 push ds; iretd	18_2_00CF16FA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEEA89 push es; iretd	18_2_00CEEA8A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEEA81 push es; iretd	18_2_00CEEA82
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1699 push ds; iretd	18_2_00CF16FA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEF499 push cs; iretd	18_2_00CEF49A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEFEB8 push es; iretd	18_2_00CEFEE2
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1E4C push ss; iretd	18_2_00CF1E72
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF2C70 push ss; iretd	18_2_00CF2C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF3010 push ss; iretd	18_2_00CF303A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CED422 push es; ret	18_2_00CED58C
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1E21 push ss; iretd	18_2_00CF1E22
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1D80 push ss; iretd	18_2_00CF1D82
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF2910 push ss; iretd	18_2_00CF293A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1729 push ds; iretd	18_2_00CF172A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE0150 push eax; retf	18_2_00CE0151
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE3098 push eax; retf	18_2_00CE30A9
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE7510 pushad ; ret	18_2_00CE7511
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE0323 push eax; retf	18_2_00CE0341

Source: veraport20unloader.exe.1.dr	Static PE information: section name: entropy: 7.980357022482312
Source: is-N4BK0.tmp.1.dr	Static PE information: section name: entropy: 7.980357022482312
Source: is-08M60.tmp.1.dr	Static PE information: section name: entropy: 7.986876970457978
Source: is-G2UQK.tmp.1.dr	Static PE information: section name: entropy: 7.985969831962771
Source: is-L93U9.tmp.1.dr	Static PE information: section name: .text entropy: 6.95576372950548

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nss3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-O9SHM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssutil3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	File created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plds4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\smime3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-JP5T3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plc4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nspr4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-BDARG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txt

Jump to behavior

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64

Jump to behavior

Changes image file execution options

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E237A88 IsIconic,GetWindowPlacement,GetWindowRect,

19_2_00007FF69E237A88

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Contains capabilities to detect virtual machines

Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe

Window / User API: threadDelayed 493

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

API coverage: 9.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 1380	Thread sleep count: 493 > 30
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 1380	Thread sleep time: -49300s >= -30000s

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: regsvr32.exe, regsvr32.exe, 00000012.00000003.2362533034.0000000000D31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000012.00000002.2362719761.0000000000D31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: certutil.exe, 00000018.00000002.3259458534.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000018.00000003.3258739238.00000000006EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx\|Y
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: certutil.exe, 0000001A.00000002.3275098873.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001C.00000003.3280811049.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3296019426.0000000001514000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000003.3302243288.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000022.00000003.3306417207.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000024.00000003.3311221966.0000000001293000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000024.00000002.3311755879.0000000001296000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320858550.0000000000764000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000028.00000003.3330114679.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002A.00000003.3338134198.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358378404.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe

System information queried: ModuleInformation

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Open window title or class name: ollydbg

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E245B78 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

19_2_00007FF69E245B78

Contains functionality to dynamically determine API calls

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E23A800 GetModuleHandleW,LoadLibraryW,GetProcAddress,

19_2_00007FF69E23A800

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245D6C SetUnhandledExceptionFilter,	19_2_00007FF69E245D6C
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245B78 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF69E245B78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E2494F8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF69E2494F8
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E242150 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF69E242150

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	NtSetInformationThread: Indirect: 0x1808751A3	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	NtSetInformationThread: Indirect: 0x7FF70FCA4570
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	NtSetInformationThread: Indirect: 0x1405A89F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	NtQueryInformationProcess: Indirect: 0x1405CAC1B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	NtQueryInformationProcess: Indirect: 0x1405BAD04	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	NtQueryInformationProcess: Indirect: 0x18085CE79	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	NtQueryInformationProcess: Indirect: 0x7FF70FC93633
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	NtQueryInformationProcess: Indirect: 0x7FF70FC93F45
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	NtQueryInformationProcess: Indirect: 0x18086FED2	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: GetLocaleInfoA,		19_2_00007FF69E250918
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,PathFindFileNameW,GetModuleHandleW,GetProcAddress,LoadLibraryExW,		19_2_00007FF69E231900

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E2469C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

19_2_00007FF69E2469C0

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E237844 GetVersionExA,

19_2_00007FF69E237844

Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"

Overwrites Mozilla Firefox settings

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmp	ReversingLabs: Detection: 25%

Uses 32bit PE files

Source: veraport-g3-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txt

Jump to behavior

Source: veraport-g3-x64.exe

Static PE information: certificate valid

Source:	Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp, wizveraregsvr.exe, 00000013.00000000.2363487958.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: msvcr120.i386.pdb source: certutil.exe, 00000018.00000002.3263802690.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001A.00000002.3276531657.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001C.00000002.3282095622.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001E.00000002.3297710179.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000020.00000002.3303674504.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000022.00000002.3307695415.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000024.00000002.3312291213.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000026.00000002.3324453102.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000028.00000002.3332121105.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002A.00000002.3341341268.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002C.00000002.3349057425.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002E.00000002.3360358812.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp

Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3276165588.0000000000960000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3276165588.0000000000960000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.wizvera.com/help/faq/killprocess.html
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://help.wizvera.com/help/faq/killprocess.htmlInvalid
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.gl9j
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0A
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocspcnnicroot.cnnic.cn0;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globa
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://veraport.wizvera.com/agreement.html
Source: regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vp.wizvera.com/vp-policy/
Source: regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vp.wizvera.com/vp-policy/origin
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cnnic.cn/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cnnic.cn/download/cert/CNNICROOT.cer0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: veraport-g3-x64.exe, 00000000.00000000.2089525757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: certutil.exe, 0000002E.00000002.3361348979.000000006F913000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3266301327.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001A.00000002.3276943131.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001C.00000002.3282538212.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001E.00000002.3298134524.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000020.00000002.3303948438.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000022.00000002.3308224650.000000006F8EF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000024.00000002.3313056413.000000006F82F000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000026.00000002.3326618235.000000006F82F000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000028.00000002.3332521951.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002A.00000002.3341706577.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002C.00000002.3349349962.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002E.00000002.3360748655.000000006F8CF000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)Digital
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.2092405915.00000000031A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wizvera.com
Source: veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wizvera.com1
Source: veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3506929488.0000000002311000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wizvera.comq
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp, wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://://80:http://https://.?
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/projects/nspr
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/projects/nss
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs

Potential key logger detected (key state polling based)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E23B090 GetKeyState,GetKeyState,GetKeyState,SendMessageW,

19_2_00007FF69E23B090

System Summary

PE file contains section with special chars

Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24CFA0	19_2_00007FF69E24CFA0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E2497C8	19_2_00007FF69E2497C8
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24C070	19_2_00007FF69E24C070
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24D858	19_2_00007FF69E24D858
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245060	19_2_00007FF69E245060
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E23D084	19_2_00007FF69E23D084
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24FDB0	19_2_00007FF69E24FDB0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245D84	19_2_00007FF69E245D84
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E250E78	19_2_00007FF69E250E78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24F4B4	19_2_00007FF69E24F4B4
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E24895C	19_2_00007FF69E24895C
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E249B2C	19_2_00007FF69E249B2C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy) 1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp 89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3

PE file contains executable resources (Code or Archives)

Source: veraport-g3-x64.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: veraport-g3-x64.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-HRCVV.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-HRCVV.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: wpmsvcsetup.tmp.52.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wpmsvcsetup.tmp.52.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-RGLV1.tmp.53.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-RGLV1.tmp.53.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002474000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe
Source: veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FE40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe

Uses 32bit PE files

Source: veraport-g3-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: veraport20unloader.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9985067851681957
Source: veraport20unloader.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9925608915441176
Source: veraport20unloader.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9947706653225806
Source: is-E859V.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9933246906841339
Source: is-E859V.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.002685546875
Source: is-3MSD8.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9923944887907609
Source: is-3MSD8.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.990234375
Source: is-N4BK0.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9985067851681957
Source: is-N4BK0.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9925608915441176
Source: is-N4BK0.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9947706653225806
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.0002991272522523
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9984319982394366
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.0030691964285714
Source: is-08M60.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9918981481481481
Source: is-G2UQK.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.0000887273576768
Source: is-G2UQK.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9914315562707641
Source: is-G2UQK.tmp.1.dr	Static PE information: Section: ZLIB complexity 1.000244140625

Binary or memory string: .VbP.Vb

Source: classification engine

Classification label: mal52.phis.spyw.evad.winEXE@106/99@0/0

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E231760 LoadResource,LockResource,SizeofResource,

19_2_00007FF69E231760

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Program Files\Wizvera

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Mutant created: \Sessions\1\BaseNamedObjects\{24D4C5E4-B2DA-43BC-99D8-8D4F9E6A3E1E}_x64
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: C:\Users\user\Desktop\veraport-g3-x64.exe

File created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp

Jump to behavior

Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport-x64.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraportmain20.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "verainagent.exe")

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\veraport-g3-x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace536359 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3355441278.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3356240335.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358406468.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a82 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: certutil.exe, 00000026.00000003.3318509911.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322233485.0000000000800000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320180392.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318774813.00000000007EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a80,a0,a101,a81,a1,a2,a82,a102,a3,a170,a11) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10);
Source: certutil.exe, 0000001E.00000003.3291539929.000000000189B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294882023.000000000189C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297627456.000000000189C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a81=$DATA1 AND a82=$DATA2;
Source: certutil.exe, 00000026.00000003.3318509911.00000000007F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a80,a0,a101,a81,a1,a2,a82,a102,a3,a170,a11) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10);FW
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a102 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001E.00000003.3293943793.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294192222.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295031712.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295340077.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297378533.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292755948.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288320877.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320725032.0000000000807000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322292077.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318509911.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319013052.0000000000802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);f
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275441111.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294192222.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295031712.00000000015B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPrivate WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a11 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace5363b4 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace53635b FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a0,a1,a2,a3,a81,a82,a170,ace536358,ace536359,ace53635a,ace53635b,ace536360,ace5363b4,ace5363b5) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);N
Source: certutil.exe, 0000001E.00000002.3296931904.0000000001508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData LIMIT 0;
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,a0,a1,a2,a3,a81,a82,a170,ace536358,ace536359,ace53635a,ace53635b,ace536360,ace5363b4,ace5363b5) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL * FROM %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace53635a FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a0 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a101 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace536360 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: certutil.exe, 00000026.00000002.3321760567.0000000000758000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic LIMIT 0;
Source: certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3355441278.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3356240335.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358406468.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a1 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: certutil.exe, 0000001A.00000003.3271492811.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.000000000058F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274115248.000000000058F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a81 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275441111.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 00000026.00000003.3320725032.0000000000807000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322292077.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319013052.0000000000802000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318774813.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320795318.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL ace536358 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a80 FROM nssPublic WHERE id=$ID;

Source: C:\Users\user\Desktop\veraport-g3-x64.exe

File read: C:\Users\user\Desktop\veraport-g3-x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\veraport-g3-x64.exe "C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Windows\System32\CheckNetIsolation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc

Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: veraport20.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Section loaded: sqlite3.dll

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Directory created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1

Jump to behavior

Source: veraport-g3-x64.exe

Static PE information: certificate valid

Source: veraport-g3-x64.exe

Static file information: File size 30041304 > 1048576

Source:	Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp, wizveraregsvr.exe, 00000013.00000000.2363487958.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: msvcr120.i386.pdb source: certutil.exe, 00000018.00000002.3263802690.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001A.00000002.3276531657.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001C.00000002.3282095622.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001E.00000002.3297710179.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000020.00000002.3303674504.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000022.00000002.3307695415.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000024.00000002.3312291213.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000026.00000002.3324453102.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000028.00000002.3332121105.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002A.00000002.3341341268.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002C.00000002.3349057425.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002E.00000002.3360358812.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E23A800 GetModuleHandleW,LoadLibraryW,GetProcAddress,

19_2_00007FF69E23A800

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

PE file contains sections with non-standard names

Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name:
Source: veraport20unloader.exe.1.dr	Static PE information: section name: .themida
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name:
Source: is-E859V.tmp.1.dr	Static PE information: section name: .themida
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name:
Source: is-3MSD8.tmp.1.dr	Static PE information: section name: .themida
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name:
Source: is-N4BK0.tmp.1.dr	Static PE information: section name: .themida
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name:
Source: is-08M60.tmp.1.dr	Static PE information: section name: .themida
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name:
Source: is-G2UQK.tmp.1.dr	Static PE information: section name: .themida
Source: is-LNJSQ.tmp.53.dr	Static PE information: section name: .themida
Source: is-E4U10.tmp.53.dr	Static PE information: section name: .themida

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00D11A12 pushfd ; ret	18_2_00D11A13
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CFCD92 pushfd ; ret	18_2_00CFCD93
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00D08B63 push es; iretd	18_2_00D08BE2
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00D0E928 pushfd ; iretd	18_2_00D0E96A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CED6C8 push es; iretd	18_2_00CED6DA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF16D0 push ds; iretd	18_2_00CF16FA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEEA89 push es; iretd	18_2_00CEEA8A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEEA81 push es; iretd	18_2_00CEEA82
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1699 push ds; iretd	18_2_00CF16FA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEF499 push cs; iretd	18_2_00CEF49A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CEFEB8 push es; iretd	18_2_00CEFEE2
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1E4C push ss; iretd	18_2_00CF1E72
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF2C70 push ss; iretd	18_2_00CF2C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF3010 push ss; iretd	18_2_00CF303A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CED422 push es; ret	18_2_00CED58C
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1E21 push ss; iretd	18_2_00CF1E22
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1D80 push ss; iretd	18_2_00CF1D82
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF2910 push ss; iretd	18_2_00CF293A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CF1729 push ds; iretd	18_2_00CF172A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE0150 push eax; retf	18_2_00CE0151
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE3098 push eax; retf	18_2_00CE30A9
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE7510 pushad ; ret	18_2_00CE7511
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00CE0323 push eax; retf	18_2_00CE0341

Source: veraport20unloader.exe.1.dr	Static PE information: section name: entropy: 7.980357022482312
Source: is-N4BK0.tmp.1.dr	Static PE information: section name: entropy: 7.980357022482312
Source: is-08M60.tmp.1.dr	Static PE information: section name: entropy: 7.986876970457978
Source: is-G2UQK.tmp.1.dr	Static PE information: section name: entropy: 7.985969831962771
Source: is-L93U9.tmp.1.dr	Static PE information: section name: .text entropy: 6.95576372950548

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nss3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-O9SHM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssutil3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\veraport-g3-x64.exe	File created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plds4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\smime3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-JP5T3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plc4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nspr4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-BDARG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	File created: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txt

Jump to behavior

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64

Jump to behavior

Changes image file execution options

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E237A88 IsIconic,GetWindowPlacement,GetWindowRect,

19_2_00007FF69E237A88

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Users\user\Desktop\veraport-g3-x64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Contains capabilities to detect virtual machines

Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe

Window / User API: threadDelayed 493

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-E859V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Dropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

API coverage: 9.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 1380	Thread sleep count: 493 > 30
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 1380	Thread sleep time: -49300s >= -30000s

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: regsvr32.exe, regsvr32.exe, 00000012.00000003.2362533034.0000000000D31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000012.00000002.2362719761.0000000000D31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: certutil.exe, 00000018.00000002.3259458534.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000018.00000003.3258739238.00000000006EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx\|Y
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: certutil.exe, 0000001A.00000002.3275098873.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001C.00000003.3280811049.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3296019426.0000000001514000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000003.3302243288.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000022.00000003.3306417207.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000024.00000003.3311221966.0000000001293000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000024.00000002.3311755879.0000000001296000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320858550.0000000000764000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000028.00000003.3330114679.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002A.00000003.3338134198.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358378404.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe

System information queried: ModuleInformation

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Open window title or class name: ollydbg

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe	Process queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E245B78 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

19_2_00007FF69E245B78

Contains functionality to dynamically determine API calls

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E23A800 GetModuleHandleW,LoadLibraryW,GetProcAddress,

19_2_00007FF69E23A800

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245D6C SetUnhandledExceptionFilter,	19_2_00007FF69E245D6C
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E245B78 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF69E245B78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E2494F8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF69E2494F8
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: 19_2_00007FF69E242150 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF69E242150

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	NtSetInformationThread: Indirect: 0x1808751A3	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	NtSetInformationThread: Indirect: 0x7FF70FCA4570
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	NtSetInformationThread: Indirect: 0x1405A89F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	NtQueryInformationProcess: Indirect: 0x1405CAC1B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	NtQueryInformationProcess: Indirect: 0x1405BAD04	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	NtQueryInformationProcess: Indirect: 0x18085CE79	Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	NtQueryInformationProcess: Indirect: 0x7FF70FC93633
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe	NtQueryInformationProcess: Indirect: 0x7FF70FC93F45
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	NtQueryInformationProcess: Indirect: 0x18086FED2	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: GetLocaleInfoA,		19_2_00007FF69E250918
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe	Code function: GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,PathFindFileNameW,GetModuleHandleW,GetProcAddress,LoadLibraryExW,		19_2_00007FF69E231900

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	Queries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E2469C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

19_2_00007FF69E2469C0

Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe

Code function: 19_2_00007FF69E237844 GetVersionExA,

19_2_00007FF69E237844

Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"

Overwrites Mozilla Firefox settings

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db

Windows Analysis Report
veraport-g3-x64.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

ID:	1544106
Product:	CloudBasic
Start time:	20:27:35
Start date:	28.10.2024
Sample:	veraport-g3-x64.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c9207ccbdef51cada0bc0402c6f1623c
SHA1:	28f3530f6fa7cf504f126b2270c40be3bcc9eea9
SHA256:	7734b2849f3efc85344db57c3c91376601b1f993b3aa18cbcd83473a37d80f17
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report veraport-g3-x64.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
veraport-g3-x64.exe