Windows Analysis Report
E86.80_CheckPointVPN.msi

Overview

General Information

Sample name: E86.80_CheckPointVPN.msi
Analysis ID: 1560175
MD5: 0d3605b07664ee0ea25ee7d4b7e9b39e
SHA1: b340c804b375cb628fe384e793311c6ad886fa66
SHA256: 98662926c87b5d7db5670a7942a2600cd6389401b602cf23d34cba28fa05f0dd
Infos:

Detection

Score: 32
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Drops executables to the windows directory (C:\Windows) and starts them
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sample is not signed and drops a device driver
Tries to delay execution (extensive OutputDebugStringW loop)
Uses regedit.exe to modify the Windows registry
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Stores files to the Windows start menu directory
Stores large binary data to the registry

Classification

Source: MSIC46E.tmp.1.dr Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_487ede28-a
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Internet Logs\Installer.log Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\Temp\trac_install.log Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 13.225.78.66:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: Binary string: F:\ckp\src\vna\RAVNA_MAIN\sln\x64\Release\vnaap.pdb source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\ckp\src\EP_Vsdata\E86_60_EWDK\Sys\Release\x64\Vsdatant.pdb source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\ckp\src\EP_Client_Watchdog\E86_60\CMpub\bin\win32.release.dynamic.msvc141\EPWD.pdb source: EPWD.exe, 00000028.00000000.2133240154.0000000000D61000.00000002.00000001.01000000.00000014.sdmp, EPWD.exe, 00000028.00000002.4162205253.0000000000D61000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: F:\ckp\src\vnauser\E86_50\CMpub\bin\WIN32\release.static\vna_install64_user64.pdb source: vna_install64.exe, 0000000C.00000000.1967850212.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 0000000C.00000002.2017649105.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000000.2020667919.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000002.2021423589.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: F:\ckp\src\trac\E86_80\CMpub\lib\WIN32\release.static\TrAPI.pdb source: TrGUI.exe, 00000026.00000002.4186746822.000000006B3B7000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: msvcr100.i386.pdb source: vna_utils.exe, 00000008.00000002.1966229621.000000006C051000.00000020.00000001.01000000.00000005.sdmp, vna_utils.exe, 0000000A.00000002.2018307557.000000006C051000.00000020.00000001.01000000.00000005.sdmp, vna_utils.exe, 00000011.00000002.2019733137.000000006C091000.00000020.00000001.01000000.00000005.sdmp, vna_utils.exe, 00000013.00000002.2022505556.000000006C091000.00000020.00000001.01000000.00000005.sdmp, TrGUI.exe, 00000026.00000002.4187419687.000000006BAD1000.00000020.00000001.01000000.00000005.sdmp, F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D.1.dr
Source: Binary string: F:\ckp\src\dtis\E81_00\CMpub\lib\WIN32\release.dynamic.msvc100\FileHash_DYN.pdbi source: FileHash_DYN.dll.1.dr
Source: Binary string: F:\ckp\src\EP_Client_Watchdog\E86_60\CMpub\bin\win32.release.dynamic.msvc141\EPWD.pdbEE/ source: EPWD.exe, 00000028.00000000.2133240154.0000000000D61000.00000002.00000001.01000000.00000014.sdmp, EPWD.exe, 00000028.00000002.4162205253.0000000000D61000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: F:\ckp\src\EP_Vsdata\E86_60\CMpub\bin\win32.release.dynamic.64.msvc141.ansi.mt\VsDrInst.pdb source: VsDrInst.exe, 00000022.00000000.2042875771.00007FF71F7DA000.00000002.00000001.01000000.00000007.sdmp, VsDrInst.exe, 00000022.00000002.2129447329.00007FF71F7DA000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: F:\ckp\src\cpp_decus\foxx\CMpub\bin\WIN32\release.dynamic\fwcpp.pdb source: fwcpp.exe.1.dr
Source: Binary string: F:\ckp\src\cpcapivista\E80_92\CMpub\lib\WIN32\release.dynamic\CertEnrollProxy.pdb source: CertEnrollProxy.dll.1.dr
Source: Binary string: F:\ckp\src\vnauser\E86_50\CMpub\bin\WIN32\release.static\vna_install64_user64.pdb! source: vna_install64.exe, 0000000C.00000000.1967850212.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 0000000C.00000002.2017649105.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000000.2020667919.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000002.2021423589.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: F:\ckp\src\EP_Vsdata\E86_60_EWDK\Sys\Release\x64\epklibproxy.pdb source: VsDrInst.exe, 00000022.00000003.2045174693.0000024011A21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\ckp\src\EP_Logging\E86_60\CMpub\lib\win32.release.32.msvc141.ansi.md\Epilogue_spdlog_utstub.pdb source: EPWD.exe, 00000028.00000002.4169958255.000000006C0B6000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: F:\ckp\src\RAC_UI\E86_80\CMpub\bin\WIN32\release.static\TrGUI.pdb source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: F:\ckp\src\EPC_Slim\E86_60\Slim_Standalone\WIN32\release\slim_install.pdb source: MSIC46E.tmp.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: F:\ckp\src\osrc_lmx\lmx_7_4\CMpub\lib\WIN32\msvc141.32\lmx-MD-vs2017x86.pdb source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: F:\ckp\src\EP_Logging\E86_60\CMpub\lib\win32.release.32.msvc141.ansi.md\Epilogue_spdlog_utstub.pdb!! source: EPWD.exe, 00000028.00000002.4169958255.000000006C0B6000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: F:\ckp\src\dtis\E81_00\CMpub\lib\WIN32\release.dynamic.msvc100\FileHash_DYN.pdb source: FileHash_DYN.dll.1.dr
Source: Binary string: F:\ckp\src\vnauser\E86_50\CMpub\bin\WIN32\release.static\vna_utils.pdb source: vna_utils.exe, 00000008.00000000.1964465398.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000008.00000002.1965716854.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 0000000A.00000000.1966742009.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 0000000A.00000002.2018004201.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000011.00000002.2019587063.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000011.00000000.2018657285.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000013.00000000.2020055302.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000013.00000002.2021626687.0000000000A11000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: F:\ckp\src\osrc_lmx\lmx_7_4\CMpub\lib\WIN32\msvc141.32\lmx-MD-vs2017x86.pdb## source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking

barindex
Source: vsdatant.sys.1.dr Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmTransactionBegin0, FwpmBfeStateUnsubscribeChanges0, FwpmBfeStateSubscribeChanges0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteById0, FwpmFilterAdd0, FwpmFilterDeleteById0, FwpsCalloutRegister0, FwpsCalloutRegister1, FwpsCalloutUnregisterById0, FwpsCloneStreamData0, FwpsCopyStreamDataToBuffer0, FwpsStreamContinue0, FwpsStreamInjectAsync0, FwpsQueryPacketInjectionState0, FwpsDereferenceNetBufferList0, FwpsReferenceNetBufferList0, FwpsInjectTransportReceiveAsync0, FwpsInjectTransportSendAsync0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsFreeNetBufferList0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsClassifyOptionSet0, FwpsCompleteClassify0, FwpsPendClassify0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpsCompleteOperation0, FwpsPendOperation0, FwpsFlowRemoveContext0, FwpmEngineOpen0, FwpsFlowAssociateContext0, FwpmBfeStateGet0
Source: Joe Sandbox View IP Address: 13.225.78.66 13.225.78.66
Source: Joe Sandbox View JA3 fingerprint: 535aca3d99fc247509cd50933cd71d37
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: gwevents.checkpoint.com
Source: unknown HTTP traffic detected: POST /gwstats/services/antimalware/1_0_0/log HTTP/1.1Host: gwevents.checkpoint.comUser-Agent: TelemetryAPI/0.2Accept: */*Content-Type: application/xmlContent-Length: 2254Expect: 100-continue
Source: TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://216.200.241.66
Source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://216.200.241.66%s:
Source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://216.200.241.66TrIcsReportDialog::on_WebBrowser_BeforeNavigate%s:
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: EPWD.exe, 00000028.00000003.2138552100.0000000001301000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: TrGUI.exe, 00000026.00000002.4185683472.000000006AFDD000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: TrGUI.exe, 00000026.00000002.4185683472.000000006AFDD000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: TrGUI.exe, 00000026.00000002.4173480244.00000000037EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/messages/XML4CErrorsSE
Source: TrGUI.exe, 00000026.00000002.4173480244.00000000037EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLDOMMsgn
Source: TrGUI.exe, 00000026.00000002.4173480244.00000000037EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLErrors
Source: TrGUI.exe, 00000026.00000002.4173480244.00000000037EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLErrorsl
Source: TrGUI.exe, 00000026.00000002.4173480244.00000000037EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLValidity
Source: TrGUI.exe, 00000026.00000002.4185683472.000000006AFDD000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: TrGUI.exe, 00000026.00000000.2070710097.00000000012ED000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.00000000012ED000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://bugreports.qt.io/
Source: TrGUI.exe, 00000026.00000000.2070710097.00000000012ED000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.00000000012ED000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://bugreports.qt.io/1_q_proxyAuthenticationRequired(QNetworkProxy
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2139492272.000000000128F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: EPWD.exe, 00000028.00000003.2138053178.000000000270A000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138134316.000000000270A000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t
Source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000027.00000002.3797561778.0000029BE0600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EPWD.exe, 00000028.00000003.2138288181.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA
Source: EPWD.exe, 00000028.00000003.2138288181.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2139492272.000000000128F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2139492272.000000000128F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: EPWD.exe, 00000028.00000003.2138288181.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlWY
Source: EPWD.exe, 00000028.00000003.2138288181.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CAp
Source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#
Source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enx
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE088D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0947000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: EPWD.exe, 00000028.00000003.2138552100.0000000001301000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: EPWD.exe, 00000028.00000003.2138627989.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2139492272.000000000128F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2139492272.000000000128F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138475951.000000000130B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: EPWD.exe, 00000028.00000003.2138627989.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: EPWD.exe, 00000028.00000003.2137746402.0000000002730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138475951.000000000130B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138053178.000000000270A000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138134316.000000000270A000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://s2.symcb.com0
Source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/SOAP-ENV:Faultlmxsoap.cppFaultdefaultpreservelmxsoap.cppa_i
Source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/SOAP-ENVHeaderBodyfaultcodefaultstringfaultactordetail
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://sv.symcd.com0&
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138552100.0000000001301000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: EPWD.exe, 00000028.00000003.2138627989.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: EPWD.exe, 00000028.00000003.2138627989.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: EPWD.exe, 00000028.00000003.2137746402.0000000002730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: EPWD.exe, 00000028.00000003.2138627989.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.checkpoint.com
Source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.checkpoint.com/
Source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.checkpoint.com/products/endpoint_security/index.html
Source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.checkpoint.com/products/endpoint_security/index.htmlTrStatusDialog::UpdateConnInfo%s:
Source: TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.checkpoint.com/surveys/disc0110/disc.htm
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: EPWD.exe, 00000028.00000003.2138627989.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138475951.000000000130B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137945943.000000000270D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137616776.0000000002739000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2139492272.000000000128F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: EPWD.exe, 00000028.00000003.2139216136.000000000273F000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137616776.0000000002739000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: EPWD.exe, 00000028.00000003.2137822672.0000000002741000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137616776.0000000002739000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: MSIC46E.tmp.1.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: EPWD.exe, 00000028.00000003.2137616776.0000000002739000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: EPWD.exe, 00000028.00000003.2138552100.0000000001301000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: EPWD.exe, 00000028.00000003.2137746402.0000000002730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138475951.000000000130B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138475951.000000000130B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: EPWD.exe, 00000028.00000003.2138053178.00000000026E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: EPWD.exe, 00000028.00000003.2138014866.00000000026F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: EPWD.exe, 00000028.00000003.2138134316.00000000026DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MSIC46E.tmp.1.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: CertEnrollProxy.dll.1.dr, FileHash_DYN.dll.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE093F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2129496073.0000029BE084E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE08E3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2129496073.0000029BE0928000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2129496073.0000029BE0947000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2129496073.0000029BE0934000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000027.00000003.2129496073.0000029BE0902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: EPWD.exe, 00000028.00000002.4163148983.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/ga
Source: EPWD.exe, 00000028.00000003.2138552100.0000000001301000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2138288181.00000000012A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE0902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000027.00000003.2129496073.0000029BE08B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_AUTHENTICATED&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_AVAILABLE_TARGET&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_CONFIGURATION_ERROR&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_ERROR&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_INVALID_OTP&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_OTP_REQUIRED&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_OTP_REQUIRED_WITH_MATCHWORD&project=
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_OTP_REQUIRED_WITH_TARGET&project=her
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_OTP_REQUIRED_WITH_TARGET_AND_MATCHWORD&a
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_REQUEST_FAILED&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_SENDING_ERROR&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_TIMEOUT_ERROR&project=hero
Source: TrGUI.exe, 00000026.00000002.4176678898.0000000004582000.00000004.00000020.00020000.00000000.sdmp, TrGUI.exe, 00000026.00000003.2097740885.0000000003E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://opengrok.checkpoint.com:8443/source/s?defs=CPSC_DID_USER_AUTHENTICATED&project=hero
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: EPWD.exe, 00000028.00000003.2137746402.0000000002730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://repository.tsp.zetes.com0
Source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4165429748.0000000001770000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, MSIC46E.tmp.1.dr String found in binary or memory: https://sectigo.com/CPS0
Source: EPWD.exe, 00000028.00000003.2137945943.000000000270D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: EPWD.exe, 00000028.00000003.2138395220.00000000026BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: EPWD.exe, 00000028.00000003.2137787553.000000000272A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2135280528.00000000026DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: EPWD.exe, 00000028.00000003.2137616776.0000000002739000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: EPWD.exe, 00000028.00000003.2138253903.00000000026CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: EPWD.exe, 00000028.00000003.2137862721.0000000002710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown HTTPS traffic detected: 13.225.78.66:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\Vsdatant.cat (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\SETC64.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\SETF2E1.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\vnaap.cat (copy) Jump to dropped file

System Summary

barindex
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvPlugins-64.reg"
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Process Stats: CPU usage > 49%
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\ccore64.sys Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\system32\drivers\DisconnectedPolicy.xml Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\44bf3e.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC46E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC569.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{55625C3A-FC77-49FF-B66F-6BD713EB9904} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA4C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA8B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICB67.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICBE5.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC82.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICD00.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID3C8.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID446.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID4B4.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID523.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID562.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID5A2.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\ccore64.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\config.xml Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\CPEPC_PLAP.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\epcginashim.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Epilogue_spdlog.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklib.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\FirewallMonitor.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsconfig.xml Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsdata.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklibproxy.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsdatant.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsdatant.inf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsdatant.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsinit.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsutil.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\concrt140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_1.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_2.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vccorlib140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vcruntime140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE93A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{55625C3A-FC77-49FF-B66F-6BD713EB9904} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{55625C3A-FC77-49FF-B66F-6BD713EB9904}\icon.ico Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE9C8.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIEA07.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1B7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI89D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2C24.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\44bf40.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\44bf40.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B19.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3CD0.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3DDA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI40BA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4407.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\system32\drivers\DisconnectedPolicy.xml Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\system32\drivers\epklib.sys Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\system32\drivers\ccore64.sys Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\Installer\wix{55625C3A-FC77-49FF-B66F-6BD713EB9904}.SchedServiceConfig.rmi Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe File created: C:\Windows\System32\DriverStore\FileRepository\vnaap.inf_amd64_ea39d26158cde1be\vnaap.PNF Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\vnaap.inf_amd64_ea39d26158cde1be
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\epklibproxy.sys
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\vsconfig.xml
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\vsdatant.inf_amd64_f1720c58d424ef6e\vsdatant.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\INF\oem5.PNF
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\SET20D6.tmp
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\SET20D6.tmp
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\vsdatant.inf_amd64_f1720c58d424ef6e
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\inf\oem5.inf
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIC46E.tmp Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Process token adjusted: Load Driver
Source: C:\Windows\System32\svchost.exe Process token adjusted: Security
Source: vsutil.dll.1.dr Static PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
Source: api-ms-win-core-handle-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: TrGUI.exe, 00000026.00000002.4168506076.000000000130C000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000130C000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs
Source: classification engine Classification label: sus32.troj.spyw.evad.winMSI@65/333@1/2
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe File created: C:\Users\user\AppData\Roaming\CheckPoint
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\drvinst.exe Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Installer.log
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\TrGUIMutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI486f8.LOG Jump to behavior
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\E86.80_CheckPointVPN.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A6ED024D439424B526759233BDEE0F53 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ED6D1DDC8B36062FD3DE943C117EC655
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B7E8D0903B03240BCAF278B2322B4761 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna dev exist cp_apvna
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna dev install "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.inf" cp_apvna
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe vna_install64.exe install "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.inf" cp_apvna
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "c:\program files (x86)\checkpoint\endpoint connect\vnaap.inf" "9" "4b8ec8843" "0000000000000158" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\checkpoint\endpoint connect"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:daca4e3358f55059:VNA_Apollo.ndi:2.1.3.0:cp_apvna," "4b8ec8843" "0000000000000164"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna drv unload
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna drv load
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe vna_install64.exe changestate cp_apvna 2
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvPlugins-64.reg"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvProxy-64.reg"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\Trac.config""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\Pireg.exe""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\PiReg.exe""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Program Files (x86)\CheckPoint\Endpoint Connect\PiReg.exe""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\sc.exe sc config wscsvc start= auto
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe C:\Windows\SysWOW64\ZoneLabs\vsdrInst.exe -i C:\Windows\SysWOW64\ZoneLabs\vsdatant.inf
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "C:\Windows\SysWOW64\ZoneLabs\vsdatant.inf" "9" "493f6c84b" "0000000000000174" "WinSta0\Default" "0000000000000118" "208" "C:\Windows\SysWOW64\ZoneLabs"
Source: unknown Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe net start TracSrvWrapper
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start TracSrvWrapper
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A6ED024D439424B526759233BDEE0F53 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ED6D1DDC8B36062FD3DE943C117EC655 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B7E8D0903B03240BCAF278B2322B4761 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna dev exist cp_apvna Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna dev install "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.inf" cp_apvna Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna drv unload Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna drv load Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvPlugins-64.reg" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvProxy-64.reg" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\Trac.config"" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\Pireg.exe"" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Program Files (x86)\CheckPoint\Endpoint Connect\PiReg.exe"" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\sc.exe sc config wscsvc start= auto Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:daca4e3358f55059:VNA_Apollo.ndi:2.1.3.0:cp_apvna," "4b8ec8843" "0000000000000164" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe net start TracSrvWrapper Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe vna_install64.exe install "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.inf" cp_apvna Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "c:\program files (x86)\checkpoint\endpoint connect\vnaap.inf" "9" "4b8ec8843" "0000000000000158" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\checkpoint\endpoint connect"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:daca4e3358f55059:VNA_Apollo.ndi:2.1.3.0:cp_apvna," "4b8ec8843" "0000000000000164"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "C:\Windows\SysWOW64\ZoneLabs\vsdatant.inf" "9" "493f6c84b" "0000000000000174" "WinSta0\Default" "0000000000000118" "208" "C:\Windows\SysWOW64\ZoneLabs"
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe vna_install64.exe changestate cp_apvna 2
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start TracSrvWrapper
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: libcurl.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: spinf.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: devobj.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\svchost.exe Section loaded: spinf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: drvstore.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: newdev.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devobj.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devrtl.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: newdev.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devobj.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Section loaded: devrtl.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: newdev.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: devobj.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: devrtl.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: devrtl.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: spinf.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: drvstore.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: netsetupshim.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: netsetupengine.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: netsetupshim.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: netsetupengine.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: spfileq.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: tcpipcfg.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: implatsetup.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: cryptui.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mf.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mfplat.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: d3d9.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dxva2.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: evr.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: msvcp100.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mfcore.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: powrprof.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: rtworkq.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: ksuser.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mfperfhelper.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: umpdc.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wintab32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: version.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: xerces-c_3_2.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: d3d11.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dcomp.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dxgi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: ieframe.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: netapi32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wkscli.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: msiso.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mshtml.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: srpapi.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: msimtf.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: msls31.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: d2d1.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dwrite.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: dxcore.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: mlang.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: lmx-md-vs2017x86.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: epilogue_spdlog.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: pdh.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32
Source: C:\Windows\System32\msiexec.exe File written: C:\Program Files (x86)\CheckPoint\Endpoint Connect\BrowserScv.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: I accept the terms in the license agreement
Source: C:\Windows\System32\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: E86.80_CheckPointVPN.msi Static file information: File size 36827136 > 1048576
Source: C:\Windows\System32\msiexec.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: F:\ckp\src\vna\RAVNA_MAIN\sln\x64\Release\vnaap.pdb source: drvinst.exe, 0000000E.00000003.1986568144.00000128AD14D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.1988407301.00000128AD1B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\ckp\src\EP_Vsdata\E86_60_EWDK\Sys\Release\x64\Vsdatant.pdb source: VsDrInst.exe, 00000022.00000003.2103676565.0000024011A72000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000025.00000003.2052496039.00000243C050D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\ckp\src\EP_Client_Watchdog\E86_60\CMpub\bin\win32.release.dynamic.msvc141\EPWD.pdb source: EPWD.exe, 00000028.00000000.2133240154.0000000000D61000.00000002.00000001.01000000.00000014.sdmp, EPWD.exe, 00000028.00000002.4162205253.0000000000D61000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: F:\ckp\src\vnauser\E86_50\CMpub\bin\WIN32\release.static\vna_install64_user64.pdb source: vna_install64.exe, 0000000C.00000000.1967850212.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 0000000C.00000002.2017649105.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000000.2020667919.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000002.2021423589.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: F:\ckp\src\trac\E86_80\CMpub\lib\WIN32\release.static\TrAPI.pdb source: TrGUI.exe, 00000026.00000002.4186746822.000000006B3B7000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: msvcr100.i386.pdb source: vna_utils.exe, 00000008.00000002.1966229621.000000006C051000.00000020.00000001.01000000.00000005.sdmp, vna_utils.exe, 0000000A.00000002.2018307557.000000006C051000.00000020.00000001.01000000.00000005.sdmp, vna_utils.exe, 00000011.00000002.2019733137.000000006C091000.00000020.00000001.01000000.00000005.sdmp, vna_utils.exe, 00000013.00000002.2022505556.000000006C091000.00000020.00000001.01000000.00000005.sdmp, TrGUI.exe, 00000026.00000002.4187419687.000000006BAD1000.00000020.00000001.01000000.00000005.sdmp, F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D.1.dr
Source: Binary string: F:\ckp\src\dtis\E81_00\CMpub\lib\WIN32\release.dynamic.msvc100\FileHash_DYN.pdbi source: FileHash_DYN.dll.1.dr
Source: Binary string: F:\ckp\src\EP_Client_Watchdog\E86_60\CMpub\bin\win32.release.dynamic.msvc141\EPWD.pdbEE/ source: EPWD.exe, 00000028.00000000.2133240154.0000000000D61000.00000002.00000001.01000000.00000014.sdmp, EPWD.exe, 00000028.00000002.4162205253.0000000000D61000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: F:\ckp\src\EP_Vsdata\E86_60\CMpub\bin\win32.release.dynamic.64.msvc141.ansi.mt\VsDrInst.pdb source: VsDrInst.exe, 00000022.00000000.2042875771.00007FF71F7DA000.00000002.00000001.01000000.00000007.sdmp, VsDrInst.exe, 00000022.00000002.2129447329.00007FF71F7DA000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: F:\ckp\src\cpp_decus\foxx\CMpub\bin\WIN32\release.dynamic\fwcpp.pdb source: fwcpp.exe.1.dr
Source: Binary string: F:\ckp\src\cpcapivista\E80_92\CMpub\lib\WIN32\release.dynamic\CertEnrollProxy.pdb source: CertEnrollProxy.dll.1.dr
Source: Binary string: F:\ckp\src\vnauser\E86_50\CMpub\bin\WIN32\release.static\vna_install64_user64.pdb! source: vna_install64.exe, 0000000C.00000000.1967850212.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 0000000C.00000002.2017649105.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000000.2020667919.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp, vna_install64.exe, 00000015.00000002.2021423589.00007FF6F67AA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: F:\ckp\src\EP_Vsdata\E86_60_EWDK\Sys\Release\x64\epklibproxy.pdb source: VsDrInst.exe, 00000022.00000003.2045174693.0000024011A21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\ckp\src\EP_Logging\E86_60\CMpub\lib\win32.release.32.msvc141.ansi.md\Epilogue_spdlog_utstub.pdb source: EPWD.exe, 00000028.00000002.4169958255.000000006C0B6000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: F:\ckp\src\RAC_UI\E86_80\CMpub\bin\WIN32\release.static\TrGUI.pdb source: TrGUI.exe, 00000026.00000002.4168506076.000000000147F000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.000000000147F000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: F:\ckp\src\EPC_Slim\E86_60\Slim_Standalone\WIN32\release\slim_install.pdb source: MSIC46E.tmp.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: F:\ckp\src\osrc_lmx\lmx_7_4\CMpub\lib\WIN32\msvc141.32\lmx-MD-vs2017x86.pdb source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: F:\ckp\src\EP_Logging\E86_60\CMpub\lib\win32.release.32.msvc141.ansi.md\Epilogue_spdlog_utstub.pdb!! source: EPWD.exe, 00000028.00000002.4169958255.000000006C0B6000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: F:\ckp\src\dtis\E81_00\CMpub\lib\WIN32\release.dynamic.msvc100\FileHash_DYN.pdb source: FileHash_DYN.dll.1.dr
Source: Binary string: F:\ckp\src\vnauser\E86_50\CMpub\bin\WIN32\release.static\vna_utils.pdb source: vna_utils.exe, 00000008.00000000.1964465398.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000008.00000002.1965716854.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 0000000A.00000000.1966742009.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 0000000A.00000002.2018004201.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000011.00000002.2019587063.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000011.00000000.2018657285.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000013.00000000.2020055302.0000000000A11000.00000002.00000001.01000000.00000004.sdmp, vna_utils.exe, 00000013.00000002.2021626687.0000000000A11000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: F:\ckp\src\osrc_lmx\lmx_7_4\CMpub\lib\WIN32\msvc141.32\lmx-MD-vs2017x86.pdb## source: EPWD.exe, 00000028.00000002.4170520661.000000006C122000.00000002.00000001.01000000.00000015.sdmp
Source: epklib.sys.1.dr Static PE information: section name: PAGEDBG
Source: msvcp140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3.1.dr Static PE information: section name: .didat
Source: TrGUI.exe.1.dr Static PE information: section name: .qtmetad
Source: Epilogue_spdlog.dll0.1.dr Static PE information: section name: .00cfg
Source: msvcr100.dll.1.dr Static PE information: section name: .text entropy: 6.90903234258047
Source: cpopenssl.dll.1.dr Static PE information: section name: .text entropy: 6.838550886992587
Source: cpprng.dll.1.dr Static PE information: section name: .text entropy: 7.001442938787662
Source: trac.exe.1.dr Static PE information: section name: .text entropy: 6.805691337532115
Source: TracCAPI.exe.1.dr Static PE information: section name: .text entropy: 6.866807620265545
Source: F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D.1.dr Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\msiexec.exe Executable created and started: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\ccore64.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklib.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklibproxy.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsdatant.sys Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\system32\drivers\epklib.sys Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\system32\drivers\ccore64.sys Jump to behavior
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\epklibproxy.sys
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4407.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\fwcpp.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpopenssl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\ProcessMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Epilogue_spdlog.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\CPEPC_PLAP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\xerces-c_3_2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\FirewallMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScriptRun.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cptmis.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\SETC95.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklibproxy.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\Epilogue_spdlog.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\CertEnrollProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\CPEPC_PLAP.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsdatant.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsutil.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\DataStruct.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI89D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\WatchdogAPI.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI88DC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\HotFixMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA8B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC82.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_2.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\proxystub.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\ccore64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\concrt140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\VPN_ProxyServer.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrSAA.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpbcrypt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\SCVMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE93A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\openmail.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\SCUIAPI.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpprng.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Pireg.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\RegMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICBE5.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\vsdatant.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vccorlib140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\epcginashim.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\BrowserMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrScvStub.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\SETF311.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID4B4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID5A2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA4C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\groupmonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3CD0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_1.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\lmx-MD-vs2017x86.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE9C8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID562.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\OS.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\drivers\epklibproxy.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3DDA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI40BA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI89F7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\epcginashim.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vcruntime140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsinit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpmsi_tool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\2\Pireg.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC46E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracCAPI.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\scvprod_lang_pack.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\WindowsSecurityMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\epcgina.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\OSMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC569.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD_Tool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID523.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\drivers\SET20D6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\update_config_tool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cptmsender.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\vnaap.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\DAAW.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrAPI.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklib.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\vsdatant.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID3C8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\RunAs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B19.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\dtplat.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\HWMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\PacketMon.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrDiagnosticModel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\UninstallSecureClient.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICD00.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\drivers\epklib.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsdata.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2C24.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\drivers\ccore64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\AntivirusMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIEA07.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID446.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI896A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\FileHash_DYN.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4407.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID5A2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA4C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3CD0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Epilogue_spdlog.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\CPEPC_PLAP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_1.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE9C8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID562.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\drivers\epklibproxy.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3DDA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI40BA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\FirewallMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\epcginashim.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vcruntime140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsinit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\SETC95.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklibproxy.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC46E.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\CPEPC_PLAP.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\vsdatant.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsutil.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC569.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI89D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID523.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\System32\drivers\SET20D6.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\vnaap.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA8B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC82.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\epklib.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_2.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\Zonelabs\ccore64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe File created: C:\Windows\system32\DRIVERS\vsdatant.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\concrt140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID3C8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B19.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE93A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICBE5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICD00.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\drivers\epklib.sys Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\vsdatant.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vccorlib140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\epcginashim.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vsdata.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2C24.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\System32\drivers\ccore64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIEA07.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID446.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\SETF311.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID4B4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\concrt140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_1.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_2.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vccorlib140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vcruntime140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Internet Logs\Installer.log Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\Temp\trac_install.log Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant\Parameters Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FW1\Parameters Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Check Point Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Check Point\Check Point Endpoint Security VPN.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Check Point VPN Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Check Point VPN Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\sc.exe sc config wscsvc start= auto
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Windows\System32\msiexec.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 Blob Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: OutputDebugStringW count: 142
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Memory allocated: 6CF0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Window / User API: foregroundWindowGot 370
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Window / User API: threadDelayed 4757
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Window / User API: threadDelayed 4400
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4407.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\fwcpp.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpopenssl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\ProcessMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\CPEPC_PLAP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\FirewallMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI1B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cptmis.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScriptRun.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\SETC95.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Zonelabs\epklibproxy.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\CertEnrollProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Windows\System32\CPEPC_PLAP.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Zonelabs\vsdatant.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vsutil.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\DataStruct.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI89D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\WatchdogAPI.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\HotFixMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI88DC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICA8B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICC82.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_2.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\proxystub.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Zonelabs\ccore64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\concrt140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\VPN_ProxyServer.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrSAA.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\SCVMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE93A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\openmail.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\SCUIAPI.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpprng.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.exe Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Pireg.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\RegMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICBE5.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\vsdatant.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\vccorlib140.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Windows\System32\epcginashim.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\BrowserMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrScvStub.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\SETF311.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID4B4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID5A2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICA4C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3CD0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\groupmonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\A3C5265577CFFF946BF6B67D31BE9940\98.61.4309\msvcp140_1.dll.4E0C0521_7D4B_3B97_9D4C_5A47A4B7B4B3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE9C8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID562.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\OS.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\epklibproxy.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI40BA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3DDA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI89F7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\epcginashim.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cpmsi_tool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vsinit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2\Pireg.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC46E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracCAPI.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\scvprod_lang_pack.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\WindowsSecurityMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\epcgina.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\OSMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC569.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD_Tool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID523.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\SET20D6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\update_config_tool.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\vnaap.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\cptmsender.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrAPI.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\DAAW.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Zonelabs\epklib.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Dropped PE file which has not been started: C:\Windows\system32\DRIVERS\vsdatant.sys (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID3C8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\RunAs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3B19.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\dtplat.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\HWMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\PacketMon.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrDiagnosticModel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\UninstallSecureClient.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\epklib.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICD00.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2C24.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vsdata.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\ccore64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\AntivirusMonitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIEA07.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI896A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID446.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\CheckPoint\Endpoint Connect\FileHash_DYN.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6364 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe TID: 4432 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe TID: 4432 Thread sleep time: -40000s >= -30000s
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe TID: 4432 Thread sleep time: -50000s >= -30000s
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe TID: 4432 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5500 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5500 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 1668 Thread sleep count: 4757 > 30
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 1668 Thread sleep time: -2378500s >= -30000s
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 4364 Thread sleep time: -34600s >= -30000s
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 7272 Thread sleep count: 258 > 30
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 7272 Thread sleep time: -77400000s >= -30000s
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 1668 Thread sleep count: 4400 > 30
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe TID: 1668 Thread sleep time: -2200000s >= -30000s
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Last function: Thread delayed
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Thread delayed: delay time: 40000
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Thread delayed: delay time: 50000
Source: C:\Windows\SysWOW64\Zonelabs\VsDrInst.exe Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Thread delayed: delay time: 300000
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor0
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002757000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisormanQ
Source: svchost.exe, 00000027.00000002.3797780636.0000029BE0657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.3796469815.0000029BDB224000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: EPWD.exe, 00000028.00000003.2157645886.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2147211883.00000000026DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitionI
Source: EPWD.exe, 00000028.00000002.4167649212.000000000271B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2175762439.0000000002715000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2157601561.0000000002737000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2191241066.0000000002717000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2163004883.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2189367062.0000000002717000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2166181294.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2171716755.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2206132509.000000000271B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2164382591.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2173163641.000000000271D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V eoinmhdholgxkkj Busk^\+
Source: svchost.exe, 00000010.00000003.2014146823.000002231FD17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,@ethernetwlanppipvmnetextension42}
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor\f
Source: TrGUI.exe, 00000026.00000002.4171332807.0000000001BB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: VsDrInst.exe, 00000022.00000003.2102901653.0000024013533000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmnetextension.cp.0.latn
Source: EPWD.exe, 00000028.00000002.4162205253.0000000000D61000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: Window Managervmwarewindow manageruser %s has session ID %lu, skippedCLogonSessionEnumerator::Enumf:\ckp\src\ep_client_watchdog\e86_60\watchdog\logonsessionenumerator.cppsession ID %lu has explorer.exesame session ID exists, will be removed, and will be added another one with explorer.exeAdding user %s with session %dsame session ID %lu exist, the session will not be addedGetProcessImageFileName failCLogonSessionEnumerator::GetTokenFromSessionexplorer.exe%s found and used to get tokenNo process %s found. Process %s was used to get token
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root PartitioniX
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes{Y
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition*vxy
Source: EPWD.exe, 00000028.00000003.2149450195.0000000002713000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processorra-
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition
Source: EPWD.exe, 00000028.00000003.2157531592.000000000270F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll
Source: EPWD.exe, 00000028.00000003.2190007221.0000000002718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: % Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: EPWD.exe, 00000028.00000003.2150131687.00000000026DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes%[5x
Source: svchost.exe, 00000024.00000003.2109810730.000001FE66924000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,@vmnetextension
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: EPWD.exe, 00000028.00000003.2189367062.0000000002717000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 48Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hype
Source: svchost.exe, 00000024.00000003.2110043897.000001FE66913000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @ethernetwlanppipvmnetextensionA1}
Source: EPWD.exe, 00000028.00000002.4163148983.000000000129E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotrK
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesq
Source: VsDrInst.exe, 00000022.00000003.2101048917.0000024011A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmnetextension.
Source: svchost.exe, 00000010.00000003.2013400404.000002231FD37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@vmnetextension
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotwA
Source: EPWD.exe, 00000028.00000002.4167649212.000000000271B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2175762439.0000000002715000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2157601561.0000000002737000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2191241066.0000000002717000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2163004883.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2189367062.0000000002717000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2166181294.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2171716755.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2206132509.000000000271B000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2164382591.000000000271D000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2173163641.000000000271D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V eoinmhdholgxkkj Bus Pipes
Source: EPWD.exe, 00000028.00000002.4167649212.0000000002690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor#
Source: EPWD.exe, 00000028.00000003.2189275555.0000000002963000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: unt Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs Sent/sec5098GPA Space Hypercalls/sec5100Logical Processor Hypercalls/sec5102Long Spin Wait Hypercalls/sec5104Other Hypercalls/sec5106Synthe
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorertsl
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processorg
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor;
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root PartitionxX
Source: EPWD.exe, 00000028.00000002.4163148983.0000000001244000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: EPWD.exe, 00000028.00000003.2190718073.000000000296E000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2148068803.0000000002951000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2190142652.000000000296A000.00000004.00000020.00020000.00000000.sdmp, EPWD.exe, 00000028.00000003.2146159935.0000000002951000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequen
Source: VsDrInst.exe, 00000022.00000003.2100759618.0000024011A3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HKR, Ndi\Interfaces,FilterMediaTypes,,"vmnetextension"
Source: TrGUI.exe, 00000026.00000000.2071494731.0000000001554000.00000008.00000001.01000000.00000008.sdmp, TrGUI.exe, 00000026.00000002.4170352642.000000000156D000.00000004.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192923169.0000000001554000.00000008.00000001.01000000.00000008.sdmp Binary or memory string: .?AVQEmulationPaintEngine@@
Source: C:\Windows\SysWOW64\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna dev exist cp_apvna Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna dev install "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.inf" cp_apvna Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna drv unload Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe" -d -ap vna drv load Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvPlugins-64.reg" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s "C:\Program Files (x86)\CheckPoint\Endpoint Connect\ScvProxy-64.reg" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\Trac.config"" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Users\user\AppData\Local\Temp\2\Pireg.exe"" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "del /F /Q "C:\Program Files (x86)\CheckPoint\Endpoint Connect\PiReg.exe"" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\sc.exe sc config wscsvc start= auto Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:daca4e3358f55059:VNA_Apollo.ndi:2.1.3.0:cp_apvna," "4b8ec8843" "0000000000000164" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe net start TracSrvWrapper Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe vna_install64.exe install "C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.inf" cp_apvna Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_utils.exe Process created: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe vna_install64.exe changestate cp_apvna 2
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start TracSrvWrapper
Source: TrGUI.exe, 00000026.00000000.2070710097.00000000011A7000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 00000026.00000002.4168506076.00000000011A7000.00000002.00000001.01000000.00000008.sdmp, TrGUI.exe, 0000002D.00000000.2192260225.00000000011A7000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: #sToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRectshell32QTrayIconMessageWindowregisterWindowClassvoid *ChangeWindowMessageFilterChangeWindowMessageFilterExuser32TaskbarCreatedThe platform plugin failed to create a message window.
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vnaap.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{369b8059-564b-5047-bee0-f93b6788686a}\vnaap.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{fc5ecf74-4dad-3146-9a2d-d1f65d32229a}\Vsdatant.cat VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\qt.conf VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\LangPack1.xml VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\newlogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\newlogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\ConnLogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\ConnLogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\reauthentication.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\reauthentication.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\reauthentication.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\reauthentication.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\certificate.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\certificate.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\certificate.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\certificate.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\triangle.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\triangle.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\header.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\header.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\welcome.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\welcome.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\finish.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\finish.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\finish.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\finish.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\erroricon.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\erroricon.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\KeyFob.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\KeyFob.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\PinPad.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\PinPad.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\soft.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\soft.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\error_connection.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\error_connection.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\ModuleBar.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\ModuleBar.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Modules-FW.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Modules-FW.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Modules-Compliance.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Modules-Compliance.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\endpointConnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\endpointConnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarBackground.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarBackground.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarLinkBackground.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarLinkBackground.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarButton.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarButton.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\cp_right.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\cp_right.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\cp_middle.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\cp_middle.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Modules-VPN.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Modules-VPN.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\statusBarGreen.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\statusBarGreen.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\statusBarRed.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\statusBarRed.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\statusBarOrange.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\statusBarOrange.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\CP_Left.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\CP_Left.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\ModuleBarHighlighted.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\ModuleBarHighlighted.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\ModuleBar.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\ModuleBar.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-InProgress.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-InProgress.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-OK.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-OK.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-Error.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-Error.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-NotRunning.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-NotRunning.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-Warning.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\State-Warning.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarButton.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarButton.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarButtonPressed.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sidebarButtonPressed.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBannerBig.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBannerBig.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\site.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\site.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\logs.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\logs.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\proxy.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\proxy.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\globe.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\globe.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sdl.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sdl.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\saa.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\saa.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\info.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\info.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\info.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\info.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\disconnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\disconnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\about.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\about.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\securityInfoIcon.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\securityInfoIcon.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\securityAlertIcon.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\securityAlertIcon.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\endpointBanner.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sad.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\sad.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\happy.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\happy.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\newlogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\newlogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\ConnLogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\ConnLogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\Apollo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\newlogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\newlogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\ConnLogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\EndpointSecurity\ConnLogo.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\error.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\error.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\endpointDisconnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\endpointDisconnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\error.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\error.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\endpointDisconnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\res\endpointDisconnected.png VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\Watchdog\EPWD.exe Queries volume information: C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe VolumeInformation
Source: C:\Program Files (x86)\CheckPoint\Endpoint Connect\vna_install64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: MSIC46E.tmp.1.dr Binary or memory string: %s\system32\ZoneLabs\vsmon.exe
Source: VsDrInst.exe, 00000022.00000003.2080739162.0000024011A5E000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2081339508.0000024011A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PGSETUP.EXE
Source: MSIC46E.tmp.1.dr Binary or memory string: %s\CheckPoint\ZoneAlarm\vsmon.exe
Source: VsDrInst.exe, 00000022.00000003.2080739162.0000024011A5E000.00000004.00000020.00020000.00000000.sdmp, VsDrInst.exe, 00000022.00000003.2081339508.0000024011A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 123.exe
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 Blob Jump to behavior

Stealing of Sensitive Information

barindex
Source: C:\Windows\System32\svchost.exe Registry value created:
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs