Windows Analysis Report
MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip

Overview

General Information

Sample name:	MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip
Analysis ID:	1560303
MD5:	1c3bcaa1bdaddc9620cb683ddfc29c6e
SHA1:	00d16e6d4f1da74d65c0d62f9a5a7f42bd0d339f
SHA256:	ec3680e6281f7638aa5658b302296a483bef6d9c132f32c21865d84b371107f3
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Installs new ROOT certificates

Registers a new ROOT certificate

Sigma detected: CMSTP Execution Process Creation

Uses cmd line tools excessively to alter registry or file data

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Found dropped PE file which has not been started or loaded

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses reg.exe to modify the Windows registry

Classification

Signatures

Source:	Binary string: wextract.pdb source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: wextract.pdbGCTL source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: cmroute.pdbH source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr
Source:	Binary string: cmroute.pdb source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr

Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/aia/AMERoot_ameroot.crt0
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0R
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/crl/AME%20CS%20CA%2001(2).crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/crl/ameroot.crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/aia/AMERoot_ameroot.crt07
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0R
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/crl/AME%20CS%20CA%2001(2).crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/crl/ameroot.crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/aia/AMERoot_ameroot.crt07
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0R
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/crl/AME%20CS%20CA%2001(2).crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/crl/ameroot.crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl4.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl4.ame.gbl/crl/AME%20CS%20CA%2001(2).crl

E-Banking Fraud

Registers a new ROOT certificate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	startup_13
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	startup_29
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	b_327383cd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	b_96934ebd

Drops certificate files (DER)

Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETE5.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Windows\Temp\OLD502E.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET503E.tmp	Jump to dropped file

Deletes files inside the Windows folder

Source: C:\Windows\System32\cmstp.exe

File deleted: C:\Windows\Temp\OLD5061.tmp

Jump to behavior

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmstp.exe

Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f

Source: classification engine

Classification label: mal56.bank.winZIP@27/52@0/0

Source: C:\Windows\System32\cmstp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\cmstp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Connection Manager Profile Installer Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: unknown	Process created: C:\Windows\System32\rasautou.exe "C:\Windows\system32\rasautou.exe" -o -f "C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" -e "Vnet-Lab-WE"
Source: C:\Windows\System32\rasautou.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rasdlg.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmdial32.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmpbk32.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: setnetworklocation.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netsetupshim.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netsetupengine.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Windows\System32\rasautou.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wextract.pdb source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: wextract.pdbGCTL source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: cmroute.pdbH source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr
Source:	Binary string: cmroute.pdb source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\certutil.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Blob

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe
Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe
Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETD5.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\cmroute.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\cmroute.dll	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Windows\Temp\OLD500E.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET501E.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\cmstp.exe

File created: C:\Windows\Temp\OLD500E.tmp

Jump to dropped file

Creates or modifies windows services

Source: C:\Windows\System32\reg.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasMan\PPP\EAP\13

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETD5.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\cmroute.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\cmroute.dll	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLD500E.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET501E.tmp	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: cmstp.exe, 00000018.00000002.1461867965.000001D7A8FB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMa
Source: cmstp.exe, 00000007.00000003.1252872378.0000025039A5C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000002.1461867965.000001D7A8FE6000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000025.00000002.2430357863.0000023910C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\rasautou.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\IXP000.TMP\azurebox16.ico	MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel	F4210677849C93E4550B23C038B251F8	EED0197EA0EC7B79D10DFE38699B5DCC57775B7B	1EBDCE9E839099060B4A68DAD683BD77CCB398280CE6CEADE6297D50DF1001E0
C:\Users\user\AppData\Local\Temp\IXP000.TMP\azurebox32.ico	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	1E633EC56EEE97F7CD80316388F0B769	25E18AA13520605F17EAF2F9D77ACD8BA5408FE2	04AAB375E08F56CF4BE4CA7E148969FA93789886EFF1B13AB85F00A76CEA238E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\azurevpnbanner.bmp	PC bitmap, Windows 3.x format, 330 x 140 x 24, resolution 3780 x 3780 px/m, cbSize 138934, bits offset 54	82CC9A24C36D676E0537156B17F324B0	2A9B8875126B80901049F8617E624D348597B34E	FD18BC07A577C5F155FF5A188D41358DC01E6C12FC0152756B6ECE9E99A93558
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Certificate, Version=3	E4A68AC854AC5242460AFD72481B2A44	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.cmp	Generic INItialization configuration [Connection Manager]	B56FCF45DDEDD9DDCCCA23B2C0F5C4B7	3FB0AF9438069F950583E7B3BFF0594BF73A26E5	CE5B12F646D00F9C3D95B1D09E56791B6B548A7C38BDAFA3F5FEC0752978F161
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.cms	Generic INItialization configuration [ISP]	1D47B8D75956F946C66A007AE1671227	C9DB657A64801B993C136351C7429091FE65F035	05EB596A58D562A1BBDB4C06FC11F24A9740362299A8A3981DFAC7BC74D43582
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Windows setup INFormation	771EB0F36C9131EE31C82931043BBE63	F3C7D7510B84190EA1147AB33C6B6DB7D0968FE6	214A2298AE4752EB2A187C510204B5C274EC454C72EBFE3087AD24620177428B
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.pbk	ASCII text, with CRLF line terminators	74FDEE55CE8F269DE280E5085D917D65	890E11A15A42059351EF149E2C707054F46C730F	6BFF38422328A36FE2730A06E650C8C35C83DA10B98D6992557C4CDFA0E1F041
C:\Users\user\AppData\Local\Temp\IXP000.TMP\cmroute.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	67D404BB100C53361C87F1A203421BF7	7C03F23C54ED36AB913FDC63F1DD600E204BF2BE	47B6DC0043BC915BD6E07F11D80A96D54EDBA23914DA428EC722FE72AE5EB030
C:\Users\user\AppData\Local\Temp\IXP000.TMP\routes.txt	ASCII text, with CRLF line terminators	FE0443F71E7A83076FA1D638070210DE	3CA25C2846EC14C59445F6896AD8AC5B4D5C582B	8F89469A66606D9C777B5D7494EB612C822055756A7D2B99BB8DAE5DA02F33D4
C:\Users\user\AppData\Local\Temp\Vnet-Lab-WE (Single User).log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	350AE0E143C80AA6F3AF7403A44FBD94	317F0EB940D1B670B596459BE308BF60A27E087B	03504A4F6A19F51434A8DCD0501BC0542F382D0BB8EAF2109F8D45331F05DB2D
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\SET109.tmp	Generic INItialization configuration [Connection Manager]	B56FCF45DDEDD9DDCCCA23B2C0F5C4B7	3FB0AF9438069F950583E7B3BFF0594BF73A26E5	CE5B12F646D00F9C3D95B1D09E56791B6B548A7C38BDAFA3F5FEC0752978F161
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\SET5061.tmp	Generic INItialization configuration [Connection Manager]	B56FCF45DDEDD9DDCCCA23B2C0F5C4B7	3FB0AF9438069F950583E7B3BFF0594BF73A26E5	CE5B12F646D00F9C3D95B1D09E56791B6B548A7C38BDAFA3F5FEC0752978F161
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19.cmp (copy)	Generic INItialization configuration [Connection Manager]	B56FCF45DDEDD9DDCCCA23B2C0F5C4B7	3FB0AF9438069F950583E7B3BFF0594BF73A26E5	CE5B12F646D00F9C3D95B1D09E56791B6B548A7C38BDAFA3F5FEC0752978F161
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET4FCB.tmp	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	1E633EC56EEE97F7CD80316388F0B769	25E18AA13520605F17EAF2F9D77ACD8BA5408FE2	04AAB375E08F56CF4BE4CA7E148969FA93789886EFF1B13AB85F00A76CEA238E
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET4FCC.tmp	MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel	F4210677849C93E4550B23C038B251F8	EED0197EA0EC7B79D10DFE38699B5DCC57775B7B	1EBDCE9E839099060B4A68DAD683BD77CCB398280CE6CEADE6297D50DF1001E0
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET4FDD.tmp	PC bitmap, Windows 3.x format, 330 x 140 x 24, resolution 3780 x 3780 px/m, cbSize 138934, bits offset 54	82CC9A24C36D676E0537156B17F324B0	2A9B8875126B80901049F8617E624D348597B34E	FD18BC07A577C5F155FF5A188D41358DC01E6C12FC0152756B6ECE9E99A93558
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET500D.tmp	ASCII text, with CRLF line terminators	FE0443F71E7A83076FA1D638070210DE	3CA25C2846EC14C59445F6896AD8AC5B4D5C582B	8F89469A66606D9C777B5D7494EB612C822055756A7D2B99BB8DAE5DA02F33D4
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET501E.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	67D404BB100C53361C87F1A203421BF7	7C03F23C54ED36AB913FDC63F1DD600E204BF2BE	47B6DC0043BC915BD6E07F11D80A96D54EDBA23914DA428EC722FE72AE5EB030
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET503E.tmp	Certificate, Version=3	E4A68AC854AC5242460AFD72481B2A44	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET503F.tmp	Generic INItialization configuration [ISP]	1D47B8D75956F946C66A007AE1671227	C9DB657A64801B993C136351C7429091FE65F035	05EB596A58D562A1BBDB4C06FC11F24A9740362299A8A3981DFAC7BC74D43582
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET504F.tmp	Windows setup INFormation	771EB0F36C9131EE31C82931043BBE63	F3C7D7510B84190EA1147AB33C6B6DB7D0968FE6	214A2298AE4752EB2A187C510204B5C274EC454C72EBFE3087AD24620177428B
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET5060.tmp	ASCII text, with CRLF line terminators	74FDEE55CE8F269DE280E5085D917D65	890E11A15A42059351EF149E2C707054F46C730F	6BFF38422328A36FE2730A06E650C8C35C83DA10B98D6992557C4CDFA0E1F041
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETB1.tmp	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	1E633EC56EEE97F7CD80316388F0B769	25E18AA13520605F17EAF2F9D77ACD8BA5408FE2	04AAB375E08F56CF4BE4CA7E148969FA93789886EFF1B13AB85F00A76CEA238E
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETC2.tmp	MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel	F4210677849C93E4550B23C038B251F8	EED0197EA0EC7B79D10DFE38699B5DCC57775B7B	1EBDCE9E839099060B4A68DAD683BD77CCB398280CE6CEADE6297D50DF1001E0
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETC3.tmp	PC bitmap, Windows 3.x format, 330 x 140 x 24, resolution 3780 x 3780 px/m, cbSize 138934, bits offset 54	82CC9A24C36D676E0537156B17F324B0	2A9B8875126B80901049F8617E624D348597B34E	FD18BC07A577C5F155FF5A188D41358DC01E6C12FC0152756B6ECE9E99A93558
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETD4.tmp	ASCII text, with CRLF line terminators	FE0443F71E7A83076FA1D638070210DE	3CA25C2846EC14C59445F6896AD8AC5B4D5C582B	8F89469A66606D9C777B5D7494EB612C822055756A7D2B99BB8DAE5DA02F33D4
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETD5.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	67D404BB100C53361C87F1A203421BF7	7C03F23C54ED36AB913FDC63F1DD600E204BF2BE	47B6DC0043BC915BD6E07F11D80A96D54EDBA23914DA428EC722FE72AE5EB030
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETE5.tmp	Certificate, Version=3	E4A68AC854AC5242460AFD72481B2A44	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETF6.tmp	Generic INItialization configuration [ISP]	1D47B8D75956F946C66A007AE1671227	C9DB657A64801B993C136351C7429091FE65F035	05EB596A58D562A1BBDB4C06FC11F24A9740362299A8A3981DFAC7BC74D43582
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETF7.tmp	Windows setup INFormation	771EB0F36C9131EE31C82931043BBE63	F3C7D7510B84190EA1147AB33C6B6DB7D0968FE6	214A2298AE4752EB2A187C510204B5C274EC454C72EBFE3087AD24620177428B
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETF8.tmp	ASCII text, with CRLF line terminators	74FDEE55CE8F269DE280E5085D917D65	890E11A15A42059351EF149E2C707054F46C730F	6BFF38422328A36FE2730A06E650C8C35C83DA10B98D6992557C4CDFA0E1F041
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\azurebox16.ico (copy)	MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel	F4210677849C93E4550B23C038B251F8	EED0197EA0EC7B79D10DFE38699B5DCC57775B7B	1EBDCE9E839099060B4A68DAD683BD77CCB398280CE6CEADE6297D50DF1001E0
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\azurebox32.ico (copy)	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	1E633EC56EEE97F7CD80316388F0B769	25E18AA13520605F17EAF2F9D77ACD8BA5408FE2	04AAB375E08F56CF4BE4CA7E148969FA93789886EFF1B13AB85F00A76CEA238E
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\azurevpnbanner.bmp (copy)	PC bitmap, Windows 3.x format, 330 x 140 x 24, resolution 3780 x 3780 px/m, cbSize 138934, bits offset 54	82CC9A24C36D676E0537156B17F324B0	2A9B8875126B80901049F8617E624D348597B34E	FD18BC07A577C5F155FF5A188D41358DC01E6C12FC0152756B6ECE9E99A93558
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer (copy)	Certificate, Version=3	E4A68AC854AC5242460AFD72481B2A44	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cms (copy)	Generic INItialization configuration [ISP]	1D47B8D75956F946C66A007AE1671227	C9DB657A64801B993C136351C7429091FE65F035	05EB596A58D562A1BBDB4C06FC11F24A9740362299A8A3981DFAC7BC74D43582
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.inf (copy)	Windows setup INFormation	771EB0F36C9131EE31C82931043BBE63	F3C7D7510B84190EA1147AB33C6B6DB7D0968FE6	214A2298AE4752EB2A187C510204B5C274EC454C72EBFE3087AD24620177428B
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.pbk (copy)	ASCII text, with CRLF line terminators	74FDEE55CE8F269DE280E5085D917D65	890E11A15A42059351EF149E2C707054F46C730F	6BFF38422328A36FE2730A06E650C8C35C83DA10B98D6992557C4CDFA0E1F041
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\cmroute.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	67D404BB100C53361C87F1A203421BF7	7C03F23C54ED36AB913FDC63F1DD600E204BF2BE	47B6DC0043BC915BD6E07F11D80A96D54EDBA23914DA428EC722FE72AE5EB030
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\routes.txt (copy)	ASCII text, with CRLF line terminators	FE0443F71E7A83076FA1D638070210DE	3CA25C2846EC14C59445F6896AD8AC5B4D5C582B	8F89469A66606D9C777B5D7494EB612C822055756A7D2B99BB8DAE5DA02F33D4
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk	ASCII text, with CRLF line terminators	5BDEF8DEAFF9CF2038611355E2F28943	7A7FA2228BCA6716B5CD337BE4B28B1D510BF084	F2A516A1905C6E03AD9EB7C29CA65F011F2033D29CE045DB99E94054BCBBB2FE
C:\Windows\Temp\OLD4FBC.tmp	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	1E633EC56EEE97F7CD80316388F0B769	25E18AA13520605F17EAF2F9D77ACD8BA5408FE2	04AAB375E08F56CF4BE4CA7E148969FA93789886EFF1B13AB85F00A76CEA238E
C:\Windows\Temp\OLD4FCC.tmp	MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel	F4210677849C93E4550B23C038B251F8	EED0197EA0EC7B79D10DFE38699B5DCC57775B7B	1EBDCE9E839099060B4A68DAD683BD77CCB398280CE6CEADE6297D50DF1001E0
C:\Windows\Temp\OLD4FDD.tmp	PC bitmap, Windows 3.x format, 330 x 140 x 24, resolution 3780 x 3780 px/m, cbSize 138934, bits offset 54	82CC9A24C36D676E0537156B17F324B0	2A9B8875126B80901049F8617E624D348597B34E	FD18BC07A577C5F155FF5A188D41358DC01E6C12FC0152756B6ECE9E99A93558
C:\Windows\Temp\OLD500D.tmp	ASCII text, with CRLF line terminators	FE0443F71E7A83076FA1D638070210DE	3CA25C2846EC14C59445F6896AD8AC5B4D5C582B	8F89469A66606D9C777B5D7494EB612C822055756A7D2B99BB8DAE5DA02F33D4
C:\Windows\Temp\OLD500E.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	67D404BB100C53361C87F1A203421BF7	7C03F23C54ED36AB913FDC63F1DD600E204BF2BE	47B6DC0043BC915BD6E07F11D80A96D54EDBA23914DA428EC722FE72AE5EB030
C:\Windows\Temp\OLD502E.tmp	Certificate, Version=3	E4A68AC854AC5242460AFD72481B2A44	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
C:\Windows\Temp\OLD503F.tmp	Generic INItialization configuration [ISP]	1D47B8D75956F946C66A007AE1671227	C9DB657A64801B993C136351C7429091FE65F035	05EB596A58D562A1BBDB4C06FC11F24A9740362299A8A3981DFAC7BC74D43582
C:\Windows\Temp\OLD504F.tmp	Windows setup INFormation	771EB0F36C9131EE31C82931043BBE63	F3C7D7510B84190EA1147AB33C6B6DB7D0968FE6	214A2298AE4752EB2A187C510204B5C274EC454C72EBFE3087AD24620177428B
C:\Windows\Temp\OLD5050.tmp	ASCII text, with CRLF line terminators	74FDEE55CE8F269DE280E5085D917D65	890E11A15A42059351EF149E2C707054F46C730F	6BFF38422328A36FE2730A06E650C8C35C83DA10B98D6992557C4CDFA0E1F041
C:\Windows\Temp\OLD5061.tmp	Generic INItialization configuration [Connection Manager]	B56FCF45DDEDD9DDCCCA23B2C0F5C4B7	3FB0AF9438069F950583E7B3BFF0594BF73A26E5	CE5B12F646D00F9C3D95B1D09E56791B6B548A7C38BDAFA3F5FEC0752978F161

Source:	Binary string: wextract.pdb source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: wextract.pdbGCTL source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: cmroute.pdbH source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr
Source:	Binary string: cmroute.pdb source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr

Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/aia/AMERoot_ameroot.crt0
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0R
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/crl/AME%20CS%20CA%2001(2).crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl1.ame.gbl/crl/ameroot.crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/aia/AMERoot_ameroot.crt07
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0R
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/crl/AME%20CS%20CA%2001(2).crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl2.ame.gbl/crl/ameroot.crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/aia/AMERoot_ameroot.crt07
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0R
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/crl/AME%20CS%20CA%2001(2).crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl3.ame.gbl/crl/ameroot.crl
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl4.ame.gbl/aia/BY2PKICSCA01.AME.GBL_AME%20CS%20CA%2001(2).crt0
Source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr	String found in binary or memory: http://crl4.ame.gbl/crl/AME%20CS%20CA%2001(2).crl

E-Banking Fraud

Registers a new ROOT certificate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	startup_13
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	startup_29
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	b_327383cd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	b_96934ebd

Drops certificate files (DER)

Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETE5.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Windows\Temp\OLD502E.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET503E.tmp	Jump to dropped file

Deletes files inside the Windows folder

Source: C:\Windows\System32\cmstp.exe

File deleted: C:\Windows\Temp\OLD5061.tmp

Jump to behavior

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmstp.exe

Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f

Source: classification engine

Classification label: mal56.bank.winZIP@27/52@0/0

Source: C:\Windows\System32\cmstp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\cmstp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Connection Manager Profile Installer Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer
Source: unknown	Process created: C:\Windows\System32\rasautou.exe "C:\Windows\system32\rasautou.exe" -o -f "C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" -e "Vnet-Lab-WE"
Source: C:\Windows\System32\rasautou.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Process created: C:\Windows\System32\cmstp.exe cmstp.exe /s /su /ns ce500069-adf3-426a-a91d-e5a0b4553b19.inf	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Section loaded: cmcfg32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rasdlg.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmdial32.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmpbk32.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: setnetworklocation.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netsetupshim.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netsetupengine.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: rastls.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapprovp.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: eapphost.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\rasautou.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Windows\System32\rasautou.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wextract.pdb source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: wextract.pdbGCTL source: VpnClientSetupAmd64.exe, 00000003.00000000.1231437957.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000006.00000002.1261207980.00007FF627459000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000015.00000000.1430709877.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp, VpnClientSetupAmd64.exe, 00000017.00000002.1463121169.00007FF77FFB9000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: cmroute.pdbH source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr
Source:	Binary string: cmroute.pdb source: VpnClientSetupAmd64.exe, 00000006.00000003.1249442070.00000172EEE8B000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000007.00000003.1251744688.0000025039A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000003.1454652375.000001D7A9002000.00000004.00000020.00020000.00000000.sdmp, SET501E.tmp.24.dr, cmroute.dll.6.dr, OLD500E.tmp.24.dr, SETD5.tmp.7.dr

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\certutil.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Blob

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe
Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe
Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process created: reg.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETD5.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\cmroute.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\cmroute.dll	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Windows\Temp\OLD500E.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET501E.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\cmstp.exe

File created: C:\Windows\Temp\OLD500E.tmp

Jump to dropped file

Creates or modifies windows services

Source: C:\Windows\System32\reg.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasMan\PPP\EAP\13

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmstp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SETD5.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\cmroute.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip\VpnClientSetupAmd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\cmroute.dll	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLD500E.tmp	Jump to dropped file
Source: C:\Windows\System32\cmstp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\SET501E.tmp	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: cmstp.exe, 00000018.00000002.1461867965.000001D7A8FB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMa
Source: cmstp.exe, 00000007.00000003.1252872378.0000025039A5C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000018.00000002.1461867965.000001D7A8FE6000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000025.00000002.2430357863.0000023910C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\rasautou.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -addstore root C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Cm\ce500069-adf3-426a-a91d-e5a0b4553b19\ce500069-adf3-426a-a91d-e5a0b4553b19.cer

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1560303
Product:	CloudBasic
Start time:	16:43:44
Start date:	21.11.2024
Sample:	MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1c3bcaa1bdaddc9620cb683ddfc29c6e
SHA1:	00d16e6d4f1da74d65c0d62f9a5a7f42bd0d339f
SHA256:	ec3680e6281f7638aa5658b302296a483bef6d9c132f32c21865d84b371107f3
Filetype:	ZIP compressed archive (8000/1) 100.00%

Windows Analysis Report
MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
MDE_File_Sample_e8a48b47bc6e903a5bcddebf2d9f99488f6556ac.zip