Edit tour

Windows Analysis Report
GlobalProtect64-6.3.1.msi

Overview

General Information

Sample name:	GlobalProtect64-6.3.1.msi
Analysis ID:	1543859
MD5:	ee67a64e6eec29580597358a7860c706
SHA1:	493877cd3362a44d59eda084b444455f755c3d29
SHA256:	eaa5e4fb71791a360bbabdf007f50861213ead504c649c26482d6529d9fb50dc
Infos:

Detection

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Creates files in the system32 config directory

Modifies the DNS server

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sample is not signed and drops a device driver

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables driver privileges

Enables security privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7284 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\GlobalProtect64-6.3.1.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7352 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

PanGPS.exe (PID: 5900 cmdline: "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit MD5: D9A82015A96F7EBEBD1B30F6B0BA1F86)

conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PanGPA.exe (PID: 5408 cmdline: "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" MD5: 300C8D493829B89674AB840CF163A111)

msedgewebview2.exe (PID: 1400 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=5408.6692.18028064762265798369 MD5: 9909D978B39FB7369F511D8506C17CA0)

msedgewebview2.exe (PID: 1272 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x110,0x160,0x164,0x140,0x16c,0x7ff8a7a58e88,0x7ff8a7a58e98,0x7ff8a7a58ea8 MD5: 9909D978B39FB7369F511D8506C17CA0)

msedgewebview2.exe (PID: 6980 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:2 MD5: 9909D978B39FB7369F511D8506C17CA0)

msedgewebview2.exe (PID: 1476 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2516 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:3 MD5: 9909D978B39FB7369F511D8506C17CA0)

msedgewebview2.exe (PID: 5004 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:8 MD5: 9909D978B39FB7369F511D8506C17CA0)

msedgewebview2.exe (PID: 5080 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:1 MD5: 9909D978B39FB7369F511D8506C17CA0)

svchost.exe (PID: 6460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6464 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 5424 cmdline: DrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

svchost.exe (PID: 4012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

PanGPS.exe (PID: 6308 cmdline: "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" MD5: D9A82015A96F7EBEBD1B30F6B0BA1F86)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7352, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GlobalProtect

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6460, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION PanGPA.exe			Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION PanGPA.exe			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00001.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_busy.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap1.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\license.cfg	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\uninstall.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gp-public.pem	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap2.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\close1.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\WebView2Loader.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanMSAgent.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\app.sig	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\res	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\res\help.chm	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\message.bin	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok_msg.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanSupport.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\res\Panw-Logo.png	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd64.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00003.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\close2.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\close3.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_stop.ico	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanProxyAgent.log
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_event.log

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}

Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

File created: C:\Windows\INF\setupapi.app.log

Jump to behavior

Source:	Binary string: e:\workspace\GlobalProtect\Release6.3\globalprotect-release-6.3-RELENG_2\gp\release\6.3.1\win32\apps\PanMS\x64\Release\PanGPS.pdb source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: X509_NAME_ENTRYRDNSX509_NAME_ENTRIESNameX509_NAME_INTERNALX509_NAMEcrypto\x509\x_name.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g FIPS 21 Apr 2020built on: Sat Oct 15 03:31:49 2022 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not availablecrypto\fips\fips_post.crand_drbg_selftestType=assertion failed: len <= FIPS_MAX_CIPHER_TEST_SIZE0123456789abcdefcrypto\fips\fips.cFATAL FIPS SELFTEST FAILUREOPENSSL_ia32cap_OPENSSL_isserviceService-0xno stack?OpenSSLOpenSSL: FATAL%s:%d: OpenSSL internal error: %s source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFF950 FindFirstFileExW,	8_2_00007FF8B8AFF950
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFFAD4 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF8B8AFFAD4
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E148E4 FindFirstFileExW,	19_2_00007FF8B7E148E4

Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Local Storage\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Local Storage\leveldb\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\	Jump to behavior

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: gpfltdrv.sys.1.dr	Static PE information: Found NDIS imports: FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsApplyModifiedLayerData0, FwpsInjectNetworkSendAsync0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmFilterDestroyEnumHandle0, FwpmFilterEnum0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteByKey0, FwpmFilterAdd0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectNetworkReceiveAsync0, FwpsReferenceNetBufferList0, FwpsDereferenceNetBufferList0, FwpsQueryPacketInjectionState0, FwpsQueryConnectionRedirectState0, FwpsFlowAssociateContext0, FwpsFlowRemoveContext0, FwpsCompleteClassify0, FwpsAcquireWritableLayerDataPointer0, FwpsCalloutRegister2, FwpsCalloutUnregisterById0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsRedirectHandleCreate0, FwpsRedirectHandleDestroy0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmSubLayerAdd0, FwpmCalloutAdd0
Source: PanGPS.exe.1.dr	Static PE information: Found NDIS imports: FwpmFilterAdd0, FwpmSubLayerDeleteByKey0, FwpmFilterDeleteByKey0, FwpmTransactionAbort0, FwpmTransactionCommit0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteById0, FwpmFilterDestroyEnumHandle0, FwpmSubLayerAdd0, FwpmFilterEnum0, FwpmGetAppIdFromFileName0, FwpmCalloutDeleteByKey0, FwpmTransactionBegin0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmEngineClose0
Source: SET8C10.tmp.19.dr	Static PE information: Found NDIS imports: FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsApplyModifiedLayerData0, FwpsInjectNetworkSendAsync0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmFilterDestroyEnumHandle0, FwpmFilterEnum0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteByKey0, FwpmFilterAdd0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectNetworkReceiveAsync0, FwpsReferenceNetBufferList0, FwpsDereferenceNetBufferList0, FwpsQueryPacketInjectionState0, FwpsQueryConnectionRedirectState0, FwpsFlowAssociateContext0, FwpsFlowRemoveContext0, FwpsCompleteClassify0, FwpsAcquireWritableLayerDataPointer0, FwpsCalloutRegister2, FwpsCalloutUnregisterById0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsRedirectHandleCreate0, FwpsRedirectHandleDestroy0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmSubLayerAdd0, FwpmCalloutAdd0

Source: global traffic

TCP traffic: 192.168.2.5:51418 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 162.159.61.3 162.159.61.3

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://127.0.0.1
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://127.0.0.1Software
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://captive.apple.com/hotspot-detect.html
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://captive.apple.com/hotspot-detect.html(P%u-T%u)%s(%4d):
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html(P%u-T%u)%s(%4d):
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://gp.test.com/big_file
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://gp.test.com/small_file
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://gp.test.com/small_filetrace

Source: unknown	Network traffic detected: HTTP traffic on port 51654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51650
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51651
Source: unknown	Network traffic detected: HTTP traffic on port 51651 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51653

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\pangpd64.cat (copy)			Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\SET6E48.tmp			Jump to dropped file

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Code function: 19_2_00007FF8B7DF5F3C: EnterCriticalSection,_snwprintf_s,_snwprintf_s,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,CreateEventW,DeviceIoControl,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,GetOverlappedResult,CloseHandle,_snwprintf_s,GetLastError,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,

19_2_00007FF8B7DF5F3C

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Code function: 19_2_00007FF8B7E033D4 OpenSCManagerW,OpenServiceW,QueryServiceStatus,Sleep,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,_snwprintf_s,DeleteService,GetLastError,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,GetSystemDirectoryW,DeleteFileW,EnterCriticalSection,GetLastError,_snwprintf_s,LeaveCriticalSection,GetLastError,_snwprintf_s,CloseServiceHandle,CloseServiceHandle,

19_2_00007FF8B7E033D4

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys

Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

File created: C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48bce9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC68D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\PanPlapProvider.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\PanCredProv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\PanV2CredProv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\PanPlapApp.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}\_853F67D554F05449430E7E.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}\_F385DCA0A7C7248F54C3CD.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}\_2AE9C45021E1A96BA1E33A.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48bceb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48bceb.msi	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\3ware.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\61883.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\acxhdaudiop.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\adp80xx.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\amdsata.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\amdsbs.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\athw8x.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\avc.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\b57nd60a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\battery.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bcmdhd64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bcmwdidhdpcie.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bda.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\btampm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\BthLCPen.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bthmtpenum.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\BthOob.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bthpan.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bthprint.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\bthspp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\cht4nulx64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\cht4sx64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_1394.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_61883.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_apo.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_avc.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_barcodescanner.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_battery.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_biometric.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_bluetooth.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_camera.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_cashdrawer.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_cdrom.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_computeaccelerator.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_computer.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_diskdrive.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_display.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_dot4.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_dot4print.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_extension.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fdc.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_firmware.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_floppydisk.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsactivitymonitor.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsantivirus.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fscfsmetadataserver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fscompression.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fscontentscreener.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fscontinuousbackup.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fscopyprotection.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsencryption.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fshsm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsinfrastructure.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsopenfilebackup.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsphysicalquotamgmt.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsquotamgmt.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsreplication.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fssecurityenhancer.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fssystem.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fssystemrecovery.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsundelete.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_fsvirtualization.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_hdc.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_hidclass.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_holographic.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_image.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_infrared.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_keyboard.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_legacydriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_linedisplay.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_magneticstripereader.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_mcx.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_media.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_mediumchanger.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_memory.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_modem.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_monitor.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_mouse.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_mtd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_multifunction.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_multiportserial.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_net.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_netclient.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_netdriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_netservice.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_nettrans.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_pcmcia.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_pnpprinters.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_ports.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_printer.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_processor.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_proximity.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_receiptprinter.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_sbp2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_scmdisk.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_scmvolume.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_scsiadapter.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_sdhost.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_securitydevices.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_sensor.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_smartcard.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_smartcardfilter.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_smartcardreader.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_smrdisk.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_smrvolume.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_sslaccel.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_swcomponent.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_system.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_tapedrive.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_ucm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_unknown.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_usb.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_usbdevice.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_usbfn.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_volsnap.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_volume.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_wceusbs.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\c_wpd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\dc1-controller.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\dc21x4vm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\digitalmediadevice.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\displayoverride.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\e2xw10x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\eaphost.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ehstorpwddrv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\fidohid.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\fusionv2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\gameport.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\halextintclpiodma.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\halextpl080.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hdaudss.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\heat.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hidbthle.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hidcfu.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hidirkbd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hidscanner.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hidserv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\HidTelephonyDriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\hpsamd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\idtsec.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\image.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ipmidrv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ipoib6x.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ItSas35i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ks.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\kscaptur.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\lltdio.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\lsi_sas2i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\lsi_sas3i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\lsi_sss.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mbtr8897w81x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mchgr.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdm3com.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdm5674a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmadc.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmagm64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmags64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmairte.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmaiwa.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmaiwa3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmaiwa4.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmaiwa5.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmaiwat.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmar1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmarch.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmarn.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmati.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmatm2k.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmaus.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmboca.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmbsb.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmbug3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmbw561.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmc26a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcdp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcm28.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcodex.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcom1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcommu.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcomp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcpq.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcpq2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcpv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcrtix.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcxhv6.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmcxpv6.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdcm5.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdcm6.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdf56f.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdgitn.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdp2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdsi.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmdyna.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmeiger.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmelsa.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmeric.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmeric2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmetech.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmfj2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgatew.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgcs.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgen.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl001.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl002.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl003.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl004.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl005.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl006.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl007.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl008.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl009.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgl010.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmgsm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmhaeu.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmhandy.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmhay2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmhayes.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdminfot.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmiodat.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmirmdm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmisdn.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmjf56e.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmke.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmkortx.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmlasat.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmlasno.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmlucnt.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmc288.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmcd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmcom.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmct.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmega.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmetri.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmhrtz.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmhzel.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmminij.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmod.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmot64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmoto1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmotou.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmmts.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmneuhs.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnis1u.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnis2u.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnis3t.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnis5t.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnokia.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnova.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmntt1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnttd2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnttd6.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnttme.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnttp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnttp2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmnttte.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmolic.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmomrn3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmoptn.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmosi.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmpace.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmpenr.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmpin.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmpn1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmpp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmpsion.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmracal.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmrock.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmrock3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmrock4.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmrock5.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsier.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsii64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsmart.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsonyu.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsun1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsun2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsupr3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsupra.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmsuprv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdk.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdkj2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdkj3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdkj4.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdkj5.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdkj6.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtdkj7.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtexas.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmti.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtkr.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmtron.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmusrf.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmusrg.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmusrgl.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmusrk1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmusrsp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmvdot.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmvv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmwhql0.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmx5560.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmzoom.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmzyp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmzyxel.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mdmzyxlg.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\megasas.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\megasas2i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\megasas35i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\megasr.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mf.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mgtdyn.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\microsoft_bluetooth_a2dp_snk.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\microsoft_bluetooth_a2dp_src.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\microsoft_bluetooth_hfp_ag.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\microsoft_bluetooth_hfp_hf.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\miradisp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\modemcsa.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mrvlpcie8897.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\msclmd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\msdri.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\msdv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mstape.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\msux64w10.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\multiprt.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mvumis.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\mwlu97w8x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ndiscap.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ndisimplatform.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ndisimplatformmp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ndisuio.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net1yx64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net44amd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net7400-x64-n650.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net7500-x64-n650f.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net7800-x64-n650f.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net8185.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net8187bv64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net8187se64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net8192se64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net8192su64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net819xp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\net9500-x64-n650f.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netathr10x.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netathrx.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netax88179_178a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netax88772.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netbc63a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netbc64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netbrdg.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netbxnda.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nete1e3e.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nete1g3e.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netefe3e.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netelx.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netg664.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netimm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netip6.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netirda.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netjme.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netk57a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netl160a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netl1c63x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netl1e64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netl260a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netlldp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netloop.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netmlx4eth63.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netmlx5.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netmscli.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netmyk64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netnb.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netnvm64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netnvma.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netnwifi.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netpacer.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netpgm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netr28ux.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netr28x.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netr7364.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrass.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrast.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrndis.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrtl64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrtwlane.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrtwlane01.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrtwlane_13.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrtwlans.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netrtwlanu.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netserv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nett4x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nettcpip.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netv1x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvchannel.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvf63a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvg63a.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvwifibus.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvwififlt.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvwifimp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netvwwanmp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwbw02.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwew00.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwew01.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwlv64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwmbclass.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwns64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwsw00.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwtw02.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwtw04.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwtw06.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netwtw08.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\netxex64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ntprint.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ntprint4.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nulhpopr.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nulhprs8.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\nvraid.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\oem0.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\oem1.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\oem3.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\oposdrv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\pcmcia.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\PerceptionSimulationHeadset.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\PerceptionSimulationSixDof.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\PerceptionSimulationSixDofModels.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\percsas2i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\percsas3i.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\pnpxinternetgatewaydevices.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnge001.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms002.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms003.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms004.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms005.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms007.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms008.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms010.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms011.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms012.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms013.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\prnms014.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\qd3x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rawsilo.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rdcameradriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rdlsbuscbs.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rdpidd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rdvgwddmdx11.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\remoteposdrv.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rndiscmp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rspndr.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rt640x64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rtux64w10.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rtvdevx64.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\rtwlanu_oldIC.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\scmvolume.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\scrawpdo.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\scsidev.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\scunknown.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\sdbus.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\SDFLauncher.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\sensorsalsdriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\SensorsHidClassDriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\sensorsservicedriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\sisraid2.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\sisraid4.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\SmartSAMD.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\smrdisk.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\smrvolume.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\stexstor.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\sti.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\storfwupdate.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\tape.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\termkbd.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\tpmvsc.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\transfercable.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\tsprint.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\tsusbhubfilter.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ts_generic.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\ts_wpdmtp.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\uicciso.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\uiccspb.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\unknown.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\UsbccidDriver.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\usbncm.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\usbnet.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\usbvideo.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\vca.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\virtualdisplayadapter.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\volsnap.PNF	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\INF\vrd.PNF	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\48bceb.msi

Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8B05168	8_2_00007FF8B8B05168
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFF950	8_2_00007FF8B8AFF950
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFFAD4	8_2_00007FF8B8AFFAD4
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AF27AF	8_2_00007FF8B8AF27AF
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AF2035	8_2_00007FF8B8AF2035
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AF7468	8_2_00007FF8B8AF7468
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DF90F0	19_2_00007FF8B7DF90F0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DFBDB8	19_2_00007FF8B7DFBDB8
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DFBBB0	19_2_00007FF8B7DFBBB0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DF1250	19_2_00007FF8B7DF1250
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DFD154	19_2_00007FF8B7DFD154
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E148E4	19_2_00007FF8B7E148E4
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DF4750	19_2_00007FF8B7DF4750
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E16F30	19_2_00007FF8B7E16F30
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E146D8	19_2_00007FF8B7E146D8
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DFE6A0	19_2_00007FF8B7DFE6A0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E1265C	19_2_00007FF8B7E1265C
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DF45D0	19_2_00007FF8B7DF45D0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DF3DB0	19_2_00007FF8B7DF3DB0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E01D40	19_2_00007FF8B7E01D40
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E1BD18	19_2_00007FF8B7E1BD18
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E0D3DC	19_2_00007FF8B7E0D3DC
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E003C4	19_2_00007FF8B7E003C4
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DFDBD0	19_2_00007FF8B7DFDBD0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E1735C	19_2_00007FF8B7E1735C
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DF8350	19_2_00007FF8B7DF8350
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E19B18	19_2_00007FF8B7E19B18
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E11234	19_2_00007FF8B7E11234
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7DFC9D0	19_2_00007FF8B7DFC9D0
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E05160	19_2_00007FF8B7E05160
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E0D174	19_2_00007FF8B7E0D174

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: String function: 00007FF8B7DF1F54 appears 79 times
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: String function: 00007FF8B7DF2990 appears 115 times
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: String function: 00007FF8B7DF39FC appears 219 times

Source: libwaresource.dll.1.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: WdfCoinstaller01011.dll.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 897290 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.0-KB2685811-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 31 datablocks, 0x1 compression
Source: WdfCoinstaller01011.dll.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 794777 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.1-KB2685811-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 27 datablocks, 0x1 compression
Source: wa_3rd_party_host_32.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: wa_3rd_party_host_64.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

Source: WebView2Loader.dll.1.dr

Static PE information: Number of sections : 11 > 10

Source: PanGPA_SPANISH.dll.1.dr	Static PE information: No import functions for PE file found
Source: PanGPA_FRENCH.dll.1.dr	Static PE information: No import functions for PE file found
Source: libwaresource.dll.1.dr	Static PE information: No import functions for PE file found
Source: PanGPA_GERMAN.dll.1.dr	Static PE information: No import functions for PE file found
Source: PanGPA_JAPANESE.dll.1.dr	Static PE information: No import functions for PE file found
Source: PanGPA_CHINESE.dll.1.dr	Static PE information: No import functions for PE file found
Source: PanGPA_CHINESE_TRADITIONAL.dll.1.dr	Static PE information: No import functions for PE file found

Source: WdfCoinstaller01011.dll.1.dr

Static PE information: Section: .rsrc ZLIB complexity 0.9922124359783254

Source: classification engine

Classification label: sus28.troj.spyw.evad.winMSI@24/837@4/2

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Code function: 19_2_00007FF8B7DFFFD0 CoInitialize,CoCreateInstance,CoUninitialize,

19_2_00007FF8B7DFFFD0

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Code function: 19_2_00007FF8B7E04778 LoadResource,LockResource,SizeofResource,

19_2_00007FF8B7E04778

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\Palo Alto Networks

Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

File created: C:\Users\user\AppData\Local\Palo Alto Networks\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Mutant created: NULL
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\GP_InstanceChecker_user

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF0981B5E01843200F.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: PanGPA.exe	String found in binary or memory: <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </LAUNCH_ICON> <TextNormal>83, 84, 89</TextNormal> <TextHighlighted>83, 84, 89</TextHighlighted> </CAPTION> <SEPA
Source: PanGPA.exe	String found in binary or memory: <CORNERS>2, 0, 2, 16</CORNERS> </BOTTOM> </BACK> <CAPTION> <LAUNCH_ICON> <SIZE>12, 12</SIZE> </LAUNCH_ICON> <TextNormal>255, 255, 255</TextNormal> <TextHighlighted>255, 255, 255</TextHighlighted> </CAPTION> <S
Source: PanGPA.exe	String found in binary or memory: SIZE>100, 17</SIZE> <CORNERS>3, 0, 4, 4</CORNERS> </BOTTOM> </BACK> <CAPTION> <LAUNCH_BTN> <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </LAUNCH_ICON>
Source: PanGPA.exe	String found in binary or memory: TTOM> <SIZE>100, 17</SIZE> <CORNERS>3, 0, 4, 4</CORNERS> </BOTTOM> </BACK> <CAPTION> <LAUNCH_BTN> <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </L
Source: PanGPA.exe	String found in binary or memory: <LAUNCH_BTN> <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </LAUNCH_ICON> <TextNormal>115, 131, 153</TextNormal> <TextHighlighted>115, 131, 153</TextHighlighted>
Source: PanGPS.exe	String found in binary or memory: The old interface cannot get un-installed. Please reboot computer and install again!

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\GlobalProtect64-6.3.1.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=5408.6692.18028064762265798369
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x110,0x160,0x164,0x140,0x16c,0x7ff8a7a58e88,0x7ff8a7a58e98,0x7ff8a7a58ea8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:2
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2516 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:3
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:8
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: unknown	Process created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=5408.6692.18028064762265798369	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x110,0x160,0x164,0x140,0x16c,0x7ff8a7a58e88,0x7ff8a7a58e98,0x7ff8a7a58ea8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2516 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: psvctrl.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netsetupshim.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netsetupengine.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: tcpipcfg.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: winbio.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: webview2loader.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: windows.system.profile.platformdiagnosticsandusagedatasettings.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: windows.system.profile.platformdiagnosticsandusagedatasettings.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: omadmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: iri.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: hevcdecoder.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dolbydecmft.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: ncryptprov.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: spinf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: drvstore.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: psvctrl.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: userenv.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wininet.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: msimg32.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: oledlg.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: secur32.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: cryptui.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: msi.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: pdh.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: oleacc.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: winmm.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: version.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: netutils.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dsrole.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: samcli.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: winsta.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: amsi.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: profapi.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: devobj.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: devrtl.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: spinf.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: drvstore.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: spfileq.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: wldp.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: cabinet.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Section loaded: samlib.dll

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32

Jump to behavior

Source: GlobalProtect.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\Windows\Installer\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}\_F385DCA0A7C7248F54C3CD.exe
Source: PanGPSupport.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\Windows\Installer\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}\_2AE9C45021E1A96BA1E33A.exe

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00001.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_busy.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap1.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\license.cfg	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\uninstall.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\gp-public.pem	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bitmap2.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\close1.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\WebView2Loader.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanMSAgent.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\app.sig	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\res	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\res\help.chm	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\message.bin	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_ok_msg.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanSupport.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\res\Panw-Logo.png	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd64.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\bmp00003.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\close2.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\close3.bmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\tray_stop.ico	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanProxyAgent.log
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Directory created: C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_event.log

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}

Jump to behavior

Source: GlobalProtect64-6.3.1.msi

Static file information: File size 66512384 > 1048576

Source:	Binary string: e:\workspace\GlobalProtect\Release6.3\globalprotect-release-6.3-RELENG_2\gp\release\6.3.1\win32\apps\PanMS\x64\Release\PanGPS.pdb source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: X509_NAME_ENTRYRDNSX509_NAME_ENTRIESNameX509_NAME_INTERNALX509_NAMEcrypto\x509\x_name.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g FIPS 21 Apr 2020built on: Sat Oct 15 03:31:49 2022 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not availablecrypto\fips\fips_post.crand_drbg_selftestType=assertion failed: len <= FIPS_MAX_CIPHER_TEST_SIZE0123456789abcdefcrypto\fips\fips.cFATAL FIPS SELFTEST FAILUREOPENSSL_ia32cap_OPENSSL_isserviceService-0xno stack?OpenSSLOpenSSL: FATAL%s:%d: OpenSSL internal error: %s source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Code function: 8_2_00007FF8B8AF3B59 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,

8_2_00007FF8B8AF3B59

Source: wa_3rd_party_host_32.exe.1.dr	Static PE information: section name: .didat
Source: wa_3rd_party_host_64.exe.1.dr	Static PE information: section name: .didat
Source: wa_3rd_party_host_64.exe.1.dr	Static PE information: section name: .gehcont
Source: libwaheap.dll.1.dr	Static PE information: section name: .gehcont
Source: libwalocal.dll.1.dr	Static PE information: section name: .gehcont
Source: libwautils.dll.1.dr	Static PE information: section name: .didat
Source: libwautils.dll.1.dr	Static PE information: section name: .gehcont
Source: WebView2Loader.dll.1.dr	Static PE information: section name: .00cfg
Source: WebView2Loader.dll.1.dr	Static PE information: section name: .gxfg
Source: WebView2Loader.dll.1.dr	Static PE information: section name: .retplne
Source: WebView2Loader.dll.1.dr	Static PE information: section name: _RDATA
Source: libwaapi.dll.1.dr	Static PE information: section name: .gehcont

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Palo Alto Networks\
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Palo Alto Networks\GlobalProtect\

Sample is not signed and drops a device driver

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanV2CredProv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\pangpd.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\WebView2Loader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\system32\DRIVERS\gpfltdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\SET6DF9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanPlapProvider.dll	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\system32\DRIVERS\pangpd.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\System32\drivers\SET8C10.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanPlapApp.exe	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\System32\drivers\SET80A6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanCredProv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanV2CredProv.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\pangpd.sys (copy)	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\System32\drivers\SET8C10.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanPlapApp.exe	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\System32\drivers\SET80A6.tmp	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\system32\DRIVERS\gpfltdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\SET6DF9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanPlapProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\PanCredProv.dll	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	File created: C:\Windows\system32\DRIVERS\pangpd.sys (copy)	Jump to dropped file

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

File created: C:\Windows\INF\setupapi.app.log

Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PanGpd

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\GlobalProtect.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\PanGPSupport.lnk	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlobalProtect			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlobalProtect			Jump to behavior

Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Code function: 19_2_00007FF8B7DFBBB0 SetupDiGetDeviceRegistryPropertyW,EnterCriticalSection,GetLastError,_snwprintf_s,LeaveCriticalSection,GetLastError,_snwprintf_s,_invalid_parameter_noinfo_noreturn,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,SetupDiClassGuidsFromNameExW,SetupDiGetClassDevsExW,SetupDiGetDeviceInfoListDetailW,SetupDiEnumDeviceInfo,CM_Get_Device_ID_ExW,wcsstr,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,CM_Get_DevNode_Status_Ex,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,EnterCriticalSection,_snwprintf_s,LeaveCriticalSection,_snwprintf_s,EnterCriticalSection,_snwprintf_s,_snwprintf_s,

19_2_00007FF8B7DFBBB0

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\PanV2CredProv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\pangpd.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Dropped PE file which has not been started: C:\Windows\system32\DRIVERS\gpfltdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\SET6DF9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\PanPlapProvider.dll	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Dropped PE file which has not been started: C:\Windows\system32\DRIVERS\pangpd.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SET8C10.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\PanPlapApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	Jump to dropped file
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SET80A6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\PanCredProv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	Jump to dropped file

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	API coverage: 3.9 %
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	API coverage: 7.9 %

Source: C:\Windows\System32\svchost.exe TID: 7136

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File Volume queried: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Code Cache\wasm FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File Volume queried: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Code Cache\js FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File Volume queried: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Cache\Cache_Data FullSizeInformation

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFF950 FindFirstFileExW,	8_2_00007FF8B8AFF950
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFFAD4 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF8B8AFFAD4
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E148E4 FindFirstFileExW,	19_2_00007FF8B7E148E4

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Code function: 8_2_00007FF8B8AF4D2C VirtualQuery,GetSystemInfo,

8_2_00007FF8B8AF4D2C

Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Local Storage\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Local Storage\leveldb\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	File opened: C:\Users\user\	Jump to behavior

Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d vmware, get our adapter name is %s
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_ppp.DeviceDesc = "Microsoft Hyper-V VPN Network Adapter"
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d DLSAV6, numVmwareIf = %d
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d try get vmware information
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}\ChannelReferences\1",,0x0,"Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Network Adapter Installation Disk #1"
Source: PanGPS.exe, 00000006.00000003.3006710182.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 Hyper-V VF
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d pangp virtual adapter switched by hyper-v
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d ignore 3323, an vmware adapter???
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d DLSAV6, ignore 5006, an vmware adapter???
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc.DeviceDesc = "Microsoft Hyper-V Network Adapter"
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","OwningPublisher",0x0,"{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}"
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_eth.DeviceDesc = "Microsoft Hyper-V Ethernet Network Adapter"
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: CPanNetSetup::TrfExcludeLocalSubnet(P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d Traffic Enforcement: %s:numVmwareIf = %d
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: CPanNetSetup::RefreshDLSAV6Needed(P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d DLSAV6, numVmwareIf = %d
Source: PanGPS.exe, 00000006.00000003.3006710182.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 non Hyper-V VF
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d found vmware adapter or virtual box adapter: %S
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d ignore 3982, an vmware adapter???
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","ChannelAccess",0x0,"O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Source: msedgewebview2.exe, 0000000D.00000002.3441253117.000002590DE46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_gsm.DeviceDesc = "Microsoft Hyper-V GSM MBB Network Adapter"
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter Name"
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Network Adapter Name
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: VMnet(P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d found vmware adapter switch: %S
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: VMwareVirtualBoxVMware Accelerated(P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d new vmware name inside windows, ignore it now
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Isolation",0x00010001,0
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d found vmware adapter switch: %S
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Enabled",0x00010001,0
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d ST,PANGP, found it, switch by hyper-v???
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Switch(P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d PANGP, found it, switch by hyper-v???
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d DLSAV6, ignore index %d, it is a vmware adapter
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d PANGP, found it, switch by hyper-v???
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d numVmwareIf = %d
Source: PanGPS.exe, 00000006.00000003.3008694933.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GenericScsiVmLun = "Hyper-V LUN"
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d ignore index %d, it is a vmware adapter
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_wifi.DeviceDesc = "Microsoft Hyper-V WiFi Network Adapter"
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d Traffic Enforcement: %s:numVmwareIf = %d
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_cdma.DeviceDesc = "Microsoft Hyper-V CDMA MBB Network Adapter"
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}",,0x0,"Microsoft-Windows-Hyper-V-Netvsc"
Source: PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: (P%u-T%u)%s(%4d): %02d/%02d/%02d %02d:%02d:%02d:%03d new vmware name inside windows, ignore it now
Source: PanGPS.exe, 00000006.00000003.3009033545.000002861A5A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Type",0x00010001,2

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Code function: 8_2_00007FF8B8AFE648 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF8B8AFE648

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

8_2_00007FF8B8AF3B59

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

8_2_00007FF8B8AF3B59

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Code function: 8_2_00007FF8B8AFCF80 GetProcessHeap,

8_2_00007FF8B8AFCF80

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8B00EC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8B8B00EC8
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AFE648 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8B8AFE648
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Code function: 8_2_00007FF8B8AF438C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8B8AF438C
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E0EF30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF8B7E0EF30
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E07A24 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF8B7E07A24
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Code function: 19_2_00007FF8B7E081FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF8B7E081FC

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x110,0x160,0x164,0x140,0x16c,0x7ff8a7a58e88,0x7ff8a7a58e98,0x7ff8a7a58ea8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2516 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:1	Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --enable-features=mojoipcz --mojo-named-platform-channel-pipe=5408.6692.18028064762265798369
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview\crashpad" --annotation=isofficialbuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=win64 "--annotation=prod=edge webview2" --annotation=ver=117.0.2045.47 --initial-client-data=0x110,0x160,0x164,0x140,0x16c,0x7ff8a7a58e88,0x7ff8a7a58e98,0x7ff8a7a58ea8
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:2
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2516 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:3
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-gb --service-sandbox-type=service --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:8
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:1
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --enable-features=mojoipcz --mojo-named-platform-channel-pipe=5408.6692.18028064762265798369	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview\crashpad" --annotation=isofficialbuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=win64 "--annotation=prod=edge webview2" --annotation=ver=117.0.2045.47 --initial-client-data=0x110,0x160,0x164,0x140,0x16c,0x7ff8a7a58e88,0x7ff8a7a58e98,0x7ff8a7a58ea8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1792 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2516 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-gb --service-sandbox-type=service --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Process created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\palo alto networks\globalprotect\gpaedge\captiveportalurl\ebwebview" --webview-exe-name=pangpa.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=mojoipcz /prefetch:1	Jump to behavior

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Code function: 8_2_00007FF8B8B04F80 cpuid

8_2_00007FF8B8B04F80

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

19_2_00007FF8B7DFBBB0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\Trust Protection Lists\manifest.json VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\WidevineCdm\manifest.json VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe	Queries volume information: C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView\Default\Network\SCT Auditing Pending Reports VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\pangpd64.cat VolumeInformation
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Queries volume information: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log VolumeInformation

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

Code function: 8_2_00007FF62C3EE5EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF62C3EE5EC

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Code function: 19_2_00007FF8B7E04BC8 GetVersionExW,EnterCriticalSection,GetLastError,_snwprintf_s,LeaveCriticalSection,GetLastError,_snwprintf_s,

19_2_00007FF8B7E04BC8

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: PanGPS.exe, 00000006.00000003.3017385751.000002861A5F9000.00000004.00000020.00020000.00000000.sdmp, PanGPS.exe, 00000006.00000003.3015609756.000002861A5F9000.00000004.00000020.00020000.00000000.sdmp, PanGPS.exe, 00000006.00000003.3017683829.000002861A5FA000.00000004.00000020.00020000.00000000.sdmp, PanGPS.exe, 00000006.00000003.3017563730.000002861A5F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PGSETUP.EXE
Source: PanGPS.exe, 00000006.00000003.3017385751.000002861A5F9000.00000004.00000020.00020000.00000000.sdmp, PanGPS.exe, 00000006.00000003.3015609756.000002861A5F9000.00000004.00000020.00020000.00000000.sdmp, PanGPS.exe, 00000006.00000003.3017683829.000002861A5FA000.00000004.00000020.00020000.00000000.sdmp, PanGPS.exe, 00000006.00000003.3017563730.000002861A5F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 123.exe

Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION			Jump to behavior
Source: C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION			Jump to behavior

Stealing of Sensitive Information

Modifies the DNS server

Source: C:\Windows\System32\svchost.exe

Registry value created:

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Native API	1 Scripting	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	1 Network Sniffing	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 LSASS Driver	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 DLL Side-Loading	41 Windows Service	1 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	41 Windows Service	11 Process Injection	1 DLL Side-Loading	NTDS	1 Network Sniffing	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	56 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	133 Masquerading	Cached Domain Credentials	2 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	51 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	2 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GlobalProtect64-6.3.1.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_GERMAN.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_JAPANESE.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_SPANISH.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHip.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PanVcrediChecker.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\WdfCoinstaller01011.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\WebView2Loader.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\gpfltdrv.sys	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\libwaapi.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\libwaheap.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\libwalocal.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\libwaresource.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\libwautils.dll	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.sys	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_32.exe	0%	ReversingLabs
C:\Program Files\Palo Alto Networks\GlobalProtect\wa_3rd_party_host_64.exe	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\SET6DF9.tmp	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{bde618de-3b74-034f-b443-966861a24834}\pangpd.sys (copy)	0%	ReversingLabs
C:\Windows\System32\PanCredProv.dll	0%	ReversingLabs
C:\Windows\System32\PanPlapApp.exe	0%	ReversingLabs
C:\Windows\System32\PanPlapProvider.dll	0%	ReversingLabs
C:\Windows\System32\PanV2CredProv.dll	0%	ReversingLabs
C:\Windows\System32\drivers\SET80A6.tmp	0%	ReversingLabs
C:\Windows\System32\drivers\SET8C10.tmp	0%	ReversingLabs
C:\Windows\system32\DRIVERS\gpfltdrv.sys (copy)	0%	ReversingLabs
C:\Windows\system32\DRIVERS\pangpd.sys (copy)	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.openssl.org/support/faq.html(P%u-T%u)%s(%4d):	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false		unknown
http://127.0.0.1Software	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false		unknown
https://gp.test.com/small_filetrace	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false		unknown
http://127.0.0.1	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false		unknown
https://gp.test.com/small_file	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false		unknown
https://gp.test.com/big_file	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false		unknown
http://www.openssl.org/support/faq.html	PanGPS.exe, 00000006.00000000.2978860740.00007FF6758FF000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.61.3	chrome.cloudflare-dns.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543859
Start date and time:	2024-10-28 15:14:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GlobalProtect64-6.3.1.msi
Detection:	SUS
Classification:	sus28.troj.spyw.evad.winMSI@24/837@4/2
EGA Information:	Successful, ratio: 40%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.159.23, 20.190.159.4, 20.190.159.64, 20.190.159.2, 20.190.159.75, 40.126.31.71, 20.190.159.68, 40.126.31.69, 13.107.42.16, 184.28.90.27, 142.250.113.94, 142.250.115.94
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, www.gstatic.com, l-0007.l-msedge.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target msedgewebview2.exe, PID 5004 because there are no executed function
Execution Graph export aborted for target msedgewebview2.exe, PID 6980 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: GlobalProtect64-6.3.1.msi

Simulations

Behavior and APIs

Time	Type	Description
10:17:34	API Interceptor	2x Sleep call for process: svchost.exe modified
15:17:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run GlobalProtect "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	W9f3Fx6sL4.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	Payment for outstanding statements.pdf	Get hash	malicious	HTMLPhisher	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse
	Demande de proposition du CPE Les Coquins.pdf	Get hash	malicious	Unknown	Browse
	Demande de proposition du CPE Les Coquins.pdf	Get hash	malicious	Unknown	Browse
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	W9f3Fx6sL4.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	setup.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://2007.filemail.com/api/file/get?filekey=58mKUrTMdlmzqkRvo0UdVa2TMjJTCQiSNv5rUBtsDQTNU0dM4JzppUJaOrP_mWxCym0k9l5xEDeaXunPsHq6frY8XZH_gnclw86MefA3bpAlGuDkr77-xSqrMOQIlMdW5cRjwoOSCWIlTwpC48cNKMMHhMKp&track=P8fpm4ry&pk_vid=8a8b18f03738ae4f17297703684d559d	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	172.64.41.3
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	172.64.41.3
	https://www.filemail.com/t/cFCAI9C4	Get hash	malicious	HtmlDropper	Browse	172.64.41.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EwKKdCrEDu.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Salary_Structure_Benefits_for_I.e.van.groenesteinIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Salary_Structure_Benefits_for_SridenourIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	W9f3Fx6sL4.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s553e3fe901654d86bcc4ed44c7c05dd3&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0V1a19QbFZsQVlaTnZNVHRSTWZBWGRNQmtvbDQ2b1NlN1o5MGFiazNzS3lGSlE_ZT1UMnQ4S3Y&wd=target%28Sezione%20senza%20titolo.one%7C8d7e5173-6006-4648-a69d-e39e66e7041a%2FAblehnung%20Rechnung%20R15946098273-KU30_WE02%20Vom%2028%5C%2F%7Cd77916b9-b471-429a-a13e-74764563e56b%2F%29&wdorigin=NavigationUrl	Get hash	malicious	HTMLPhisher	Browse	104.21.79.135
	Okfjk1hs4kdhs2.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	33537
Entropy (8bit):	5.841403323070531
Encrypted:	false
SSDEEP:	768:vLweskXz7fTIxuSeXC/0w5Pl+yNJm2GiijPDixzGHkRtUDvC19PKNFRjtnoA35xS:DweskXz7fTIxuSeXC/0w5Pl+yNJm2GiZ
MD5:	3BFE94E346AEF2BF07BCDECDA16D5303
SHA1:	8CFE23AA091221C29880F01AD4B7CDBA28C224DD
SHA-256:	FB6611094A71E7F1005FABE8FEF397E0244CE720DA1DB25DA9E759267B3687B0
SHA-512:	01EB6900B861516DDCD4929F9DD30DEDC3431D944911329C92DF38AB2C92DD55E5EA0BC2B006FAE1AADD866EE044E556B5896C95D640DC06574561A36D955B05
Malicious:	false
Preview:	...@IXOS.@.....@'R\Y.@.....@.....@.....@.....@.....@......&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}..GlobalProtect..GlobalProtect64-6.3.1.msi.@.....@.....@.....@......_853F67D554F05449430E7E.exe..&.{EE37356D-D07C-43F6-8D20-35139031CF9B}.....@.....@.....@.....@.......@.....@.....@.......@......GlobalProtect......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{147E1698-DF2D-C421-588B-1BEC0AE53B84}&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}.@......&.{86766B4C-0308-5776-EEEE-BF0F68AD410C}&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}.@......&.{F7D8C07A-6492-6E55-F9CA-4FD419353CE3}&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}.@......&.{515B27B7-8E96-8C09-4BF1-4C86A1369093}&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}.@......&.{CEF533B3-20F7-AAE0-2239-993BDC6F874D}&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}.@......&.{84B784F4-BC1D-9C03-459A-845616284755}&.{62BC3D77-3D5D-4821-B162-5BF52C6B11AF}.@......&.{7A12B956-5961-F

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8307397378436924
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDuga:gJjJGtpTq2yv1AuNZRY3diu8iBVqFE
MD5:	9E2DF59D67B604737E1E936078DE0396
SHA1:	6EFECBBB8D843F0B5E782501D0DCE08523D90E32
SHA-256:	AA897DDB2B48E90B8D3E6C7C2806681AA606BF1504DE3CFC353F3E7AC0FDA15C
SHA-512:	8F69053E90D3C0CBC3F9C0BC72DADA973E20BD320BE1B4EFB63CAF56FA8BEDF327FC1B9B60008D55DF2A3E7AC9891E460CE8C3F067F52D66C5BF4522DE38C145
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2901
Entropy (8bit):	5.308790822360244
Encrypted:	false
SSDEEP:	48:YDEFMsFiHGS0afMeQFIF5oif93p8QSh/cIgwLURMYXylVotoWR5K1DAHB+mdrxmC:PNkGS1f3QFY5lf958rh/cI9URoDotosL
MD5:	853EEE2C56907EE962C494B631F386EC
SHA1:	1AC92AD371B448D71BEFE26C903FA206E932C3D1
SHA-256:	C5DF2B53980E8FF7CB3DB2FA4C15F029502427CDC50A94AC5E664F107F2A998B
SHA-512:	675B27ED3853F3378F5E2A3E2E962475F80682B2119296E7D7EA3327DB34CE51E41EC214DCC9C8CD2774681A8B38A2A9E7F463830EB1487C40CEF42DBFE738A4
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACs2ipmYAX7Q5eLDfKhmCSzEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAGJqjE6k+gmz4o0SRufQ6JT0qwvjNTL7fHy1ZdzJjx4QAAAAAOgAAAAAIAACAAAABlihj6X+k1o+AlgQy2GAAwDu0zpRj/08eeT7CIPXx2cTAAAAA1A7nMzPQN2Oj3vDVrgkHCVAx7Vf7jdTDZ0TaP0Lkfi+XMxItzVyiFMrqAtWFlZfpAAAAA/mo43xL2ClCF835ZvmHabFModP8yuKV/jLK5BTTirkuA7ntxEEXxfhg9BSi2O7B2m9VSfjNPkoHqbE9RMFc7Ug=="},"policy":{"last_statistics_update":"13374598654399654"},"profile":{"info_cache":{"Default":{"avatar_icon":"chrome://t

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4333
Entropy (8bit):	4.760587896237931
Encrypted:	false
SSDEEP:	96:I23N5XHo7pnFhdhEykjSY/BR9Ch60jelHWVx2IscstJqM1pMJM1McMrMZM9iDCZ/:pnX0hFhdxwIh60jel2Vx2TcGJqeEO9qR
MD5:	FC97A101113D88276C58400BBA7AAF77
SHA1:	814D0C9FBDEE6B3DABA6D18389536FDE536D3B2D
SHA-256:	20B44F3859A6FF1B7C644FC90CED4E7AB37CCF5CB50EC21D59A92906932A4842
SHA-512:	616AC0EB0BF54E4EFB94B9CF1A301E8AD08F13D7477256552BE616D450DB84614A3A7E5376EC7D3FC11E893C38CF578EB826FBF156B17B2CF48E5004470E5BDA
Malicious:	false
Preview:	;-------------------------------------------------------------------------------..; PANGPD.INF..;..; Palo Alto Networks GlobalProtect Virtual Ethernet Adapter..;..; Copyright (c) Palo Alto Networks. All rights reserved.....[version]..Signature = "$Windows NT$"..CatalogFile.ntx86 = pangpd.cat..CatalogFile.ntamd64 = pangpd64.cat..CatalogFile.ntarm64 = pangpdarm64.cat..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %PAN%..DriverVer = 03/02/2023,16.15.20.869....;-------------..;For NDIS 6.x..;-------------..[ControlFlags]..ExcludeFromSelect=....[Manufacturer]..%PAN% = PAN,ntx86,ntamd64,ntarm64....[PAN.ntx86]..%PanGpd.DeviceDesc% = PanGpd.ndi, PanGpd ..[PAN.ntamd64]..%PanGpd.DeviceDesc% = PanGpd.ndi, PanGpd ..[PAN.ntarm64]..%PanGpd.DeviceDesc% = PanGpd.ndi, PanGpd....[PanGpd.ndi]..Characteristics = 0x81 ; NCF_VIRTUAL \| NCF_HAS_UI..;For NDIS 6.x..IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaTy

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {EE37356D-D07C-43F6-8D20-35139031CF9B}, Title: GlobalProtect64, Author: Palo Alto Networks, Comments: GlobalProtect 64bit, Number of Words: 2, Last Saved Time/Date: Wed Sep 11 00:50:57 2024, Last Printed: Wed Sep 11 00:50:57 2024
Entropy (8bit):	7.995639510217381
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	GlobalProtect64-6.3.1.msi
File size:	66'512'384 bytes
MD5:	ee67a64e6eec29580597358a7860c706
SHA1:	493877cd3362a44d59eda084b444455f755c3d29
SHA256:	eaa5e4fb71791a360bbabdf007f50861213ead504c649c26482d6529d9fb50dc
SHA512:	155b773109ea2a85c1b17287f370a4946a3b22b5e77ade0c2d99189fed2ff4faa573d5c2ca5602f4d6031f491605b0f8b9d3e466eb0e9e1cee10be35b2a0e04d
SSDEEP:	1572864:+7lnBQ8U4BfikZwJgJAxw2TrW3TByP+4nVW9ijr1PBrB0OyQjnDXN:GBQr8ietJKwUWK+xg/1PBSOnvXN
TLSH:	E1E733BF751A1F2BD28AF9F43572170A4FA53E2809ACC0886652FF71B07D560A1B75C2
File Content Preview:	........................>...................................8...................x..............................................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 15:16:16.394383907 CET	51418	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:16:16.401232958 CET	53	51418	1.1.1.1	192.168.2.5
Oct 28, 2024 15:16:16.402924061 CET	51418	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:16:16.409670115 CET	53	51418	1.1.1.1	192.168.2.5
Oct 28, 2024 15:16:17.009251118 CET	51418	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:16:17.015443087 CET	53	51418	1.1.1.1	192.168.2.5
Oct 28, 2024 15:16:17.015510082 CET	51418	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:17:41.007802963 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.007846117 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.008030891 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.008342981 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.008357048 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.430685043 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.430793047 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.430879116 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.443063974 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.443101883 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.676348925 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.676954031 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.676965952 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.678599119 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.678675890 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.684149981 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.684237957 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.684427023 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.728851080 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.728879929 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.775722027 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.809545994 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.809601068 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.809758902 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.810080051 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.810097933 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.814064980 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.814131975 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.814189911 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.814476013 CET	51650	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.814490080 CET	443	51650	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.903033972 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.903083086 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:41.903161049 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.916781902 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:41.916806936 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.053482056 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.053929090 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.053958893 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.057502985 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.057580948 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.080413103 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.080632925 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.080671072 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.127335072 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.135107994 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.135142088 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.181979895 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.213485956 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.213587046 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.213641882 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.214646101 CET	51651	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.214669943 CET	443	51651	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.423449993 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.423944950 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.423974991 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.427520990 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.427642107 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.428164959 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.428350925 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.428379059 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.475358009 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.478849888 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.478861094 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.518342972 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.519058943 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.519073963 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.520526886 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.520608902 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.521064997 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.521145105 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.521275997 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.525711060 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.558917999 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.559083939 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.560029030 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.560141087 CET	51653	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.560159922 CET	443	51653	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.567329884 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.572621107 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.572632074 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.619472027 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.647695065 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.647846937 CET	443	51654	162.159.61.3	192.168.2.5
Oct 28, 2024 15:17:42.648019075 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.648228884 CET	51654	443	192.168.2.5	162.159.61.3
Oct 28, 2024 15:17:42.648246050 CET	443	51654	162.159.61.3	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 15:16:16.391932011 CET	53	53749	1.1.1.1	192.168.2.5
Oct 28, 2024 15:17:40.998085976 CET	53493	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:17:40.998085976 CET	49423	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:17:41.006865025 CET	53	53493	1.1.1.1	192.168.2.5
Oct 28, 2024 15:17:41.006877899 CET	53	49423	1.1.1.1	192.168.2.5
Oct 28, 2024 15:17:41.068730116 CET	61669	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:17:41.069000006 CET	53770	53	192.168.2.5	1.1.1.1
Oct 28, 2024 15:17:41.429611921 CET	53	61669	1.1.1.1	192.168.2.5
Oct 28, 2024 15:17:41.429625988 CET	53	53770	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
2024-10-28 14:17:41 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-10-28 14:17:41 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-10-28 14:17:41 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 28 Oct 2024 14:17:41 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8d9b8d03ee8c2e1b-DFW alt-svc: h3=":443"; ma=86400
2024-10-28 14:17:41 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 e9 00 04 8e fa 71 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomq^)

Timestamp	Bytes transferred	Direction	Data
2024-10-28 14:17:42 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-10-28 14:17:42 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-10-28 14:17:42 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 28 Oct 2024 14:17:42 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8d9b8d066c55e983-DFW alt-svc: h3=":443"; ma=86400
2024-10-28 14:17:42 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 58 00 04 8e fa 73 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomXs^)

Target ID:	0
Start time:	10:15:59
Start date:	28/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\GlobalProtect64-6.3.1.msi"
Imagebase:	0x7ff762cb0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	10:17:22
Start date:	28/10/2024
Path:	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit
Imagebase:	0x7ff674fc0000
File size:	14'137'120 bytes
MD5 hash:	D9A82015A96F7EBEBD1B30F6B0BA1F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	10:17:31
Start date:	28/10/2024
Path:	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"
Imagebase:	0x7ff62bf80000
File size:	13'805'856 bytes
MD5 hash:	300C8D493829B89674AB840CF163A111
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	10:17:33
Start date:	28/10/2024
Path:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=5408.6692.18028064762265798369
Imagebase:	0x7ff6e4f90000
File size:	3'749'328 bytes
MD5 hash:	9909D978B39FB7369F511D8506C17CA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	15
Start time:	10:17:35
Start date:	28/10/2024
Path:	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\GPAEdge\CaptivePortalUrl\EBWebView" --webview-exe-name=PanGPA.exe --webview-exe-version=6.3.1-376 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1730120263967503 --launch-time-ticks=4791055134 --mojo-platform-channel-handle=3408 --field-trial-handle=1800,i,11688773997540430424,5847246775237165280,262144 --enable-features=MojoIpcz /prefetch:1
Imagebase:	0x7ff6e4f90000
File size:	3'749'328 bytes
MD5 hash:	9909D978B39FB7369F511D8506C17CA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	16
Start time:	10:17:56
Start date:	28/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	10:17:58
Start date:	28/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	19
Start time:	10:18:03
Start date:	28/10/2024
Path:	C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"
Imagebase:	0x7ff674fc0000
File size:	14'137'120 bytes
MD5 hash:	D9A82015A96F7EBEBD1B30F6B0BA1F86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.6%
Total number of Nodes:	560
Total number of Limit Nodes:	6

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GlobalProtect64-6.3.1.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Bitcoin Miner

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\48bcea.rbs

C:\Program Files\Palo Alto Networks\GlobalProtect\Connected.bmp

C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedFail.bmp

C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedInternal.bmp

C:\Program Files\Palo Alto Networks\GlobalProtect\ConnectedNone.bmp

C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.avi

C:\Program Files\Palo Alto Networks\GlobalProtect\Connecting.bmp

C:\Program Files\Palo Alto Networks\GlobalProtect\DEM64.msi

C:\Program Files\Palo Alto Networks\GlobalProtect\Decimal-Medium-Pro.otf

C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Regular.ttf

C:\Program Files\Palo Alto Networks\GlobalProtect\Lato-Semibold.ttf

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.ico

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE.dll

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_CHINESE_TRADITIONAL.dll

C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA_FRENCH.dll

Windows Analysis Report
GlobalProtect64-6.3.1.msi

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre